[rb-general] Reproducible builds and distributed CI

Santiago Torres-Arias santiago at archlinux.org
Mon Aug 12 16:10:11 UTC 2019


On Sun, Aug 11, 2019 at 12:06:41PM +0300, Lars Wirzenius wrote:
> Thank you for you thoughtful feedback!
> 
> I've been pondering this topic again. It's important to me (meaning
> that this is part of my main hobby project), but due to life reasons,
> its not an urgent one for me.
> 
> I came up with the initial threat modelling below. Feedback on that is
> welcome, and I hope it can be of use for others who are thinking about
> the same things. My conclusion after discussions here, elsewhere, and
> my own thinking and research, is that "distributed CI" is plausible,
> and that reproducible builds would be an important building block for
> it, but that there's a lot of other details to get right, too. (Which
> is not a blocker, but makes it a more interesting problem to solve.)
> 
> The two use cases for distributed CI I'm thinking of are:
> 
> * providing a massive CI build farm for free software development, by
>   recruiting thousands of people to donate worker time
> 
> * enabling companies to make use of spare capacity in their employees'
>   work computers for CI; some companies already do this, but it's a
>   little awkward

Hi! I'm biased but I think in-toto would be a good means to synchronize
and ensure integrity between the artifacts on a distributed CI. We just
published a paper on in-toto here[1]. The specification is meant to be
completely decentralized, and it would probably provide stronger
security guarantees by means of its threshold mechanism compared to
single-point-of-failure CI systems.

Cheers!
-Santiago.

[1] https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190812/41fb7da8/attachment.sig>


More information about the rb-general mailing list