I had the opportunity to participate on an Athen’s Hackerspace event with a dozen debian developers about the issue with reproducible distribution’s package builds.
I had never thought of this thing before and the presentation blown me away !
So here is the deal, if you download the latest openssl package from an archlinux mirror (want archlinux users will going to do):
# pacman -Sw openssl
What if we tried to build openssl by our selfs from the PKGBUILD file ?
# cd /var/abs/core/openssl $ makepkg -cf ==> Making package: openssl 1.0.2.e-1 (Sun Dec 6 13:07:08 EET 2015) ==> Checking runtime dependencies... ==> Checking buildtime dependencies... ==> Retrieving sources... -> Found openssl-1.0.2e.tar.gz -> Found openssl-1.0.2e.tar.gz.asc -> Found no-rpath.patch -> Found ca-dir.patch ==> Validating source files with md5sums... openssl-1.0.2e.tar.gz ... Passed openssl-1.0.2e.tar.gz.asc ... Skipped no-rpath.patch ... Passed ca-dir.patch ... Passed ==> Verifying source file signatures with gpg... openssl-1.0.2e.tar.gz ... Passed ==> Extracting sources... -> Extracting openssl-1.0.2e.tar.gz with bsdtar ==> Starting prepare()... ... ... ... ==> Leaving fakeroot environment. ==> Finished making: openssl 1.0.2.e-1 (Sun Dec 6 13:11:06 EET 2015) ==> Cleaning up...
Let’s check the md5sum:
# md5sum /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz b555ac4294a2f39ef0caa19e21a28355 /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz 08755bad654f74b8a1c4c5386934aeea /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
why isnt both files similar exactly the same ?
Let’s find out what are the differences between these two files by using diffoscope
diffoscope --html /tmp/openssl.html /var/cache/pacman/pkg/openssl-1.0.2.e-1-x86_64.pkg.tar.xz /var/abs/core/openssl/openssl-1.0.2.e-1-x86_64.pkg.tar.xz
fire up an html browser and open /tmp/openssl.html
Read carefully the output, most of them are timestamps.
So what this fuzz is all about ?
There is a huge problem actually, we trust our distributions for privacy and security.
But what if governments have already compromised ftp mirrors or by MITM we have already installed a backdoor software?
That’s what core developers from major distributions are fighting as we speak, they are trying to engage more core developers and find a way to redistribute reproducible builds so that you can actually verify a package build on your PC.
Need to know more?
Click here: reproducible-builds
Can you help ?
take a look on diffoscope