Fw: Build Reproducibility in Debian - Opinion Needed
Bernhard M. Wiedemann
bernhardout at lsmod.de
Thu Aug 25 06:38:11 UTC 2022
Muhammad Hassan wrote:
> Do you feel there is potential for detecting build unreproducibility statically (without executing adversarial rebuilds)?
Yes, there are a number of potentially troublesome strings listed in
https://github.com/bmwiedemann/reproducibleopensuse/blob/master/howtodebug#L31
If one of these gets added, it may be harmless, but would warrant a
rebuild test or closer inspection of the source.
On 24/08/2022 19.37, Chris Lamb wrote:
> Other avenues requiring a single build would include all the instrumention
> approach (eg. strace/systemtap, etc.) taken by a few projects. I think
> Bernhard might be able to speak better on this, and there are some
> academic projects in this area as well.
My strace approach uses
https://github.com/bmwiedemann/reproducibleopensuse/blob/master/stracebuild
to trigger
https://github.com/bmwiedemann/reproducible-faketools/blob/master/bin/rpmbuild-strace
I use that to find where unreproducible files come from with
https://github.com/bmwiedemann/reproducibleopensuse/blob/master/autoprovenance
It seems, strace cannot see time syscalls - maybe because those do not
reach the kernel via the linux-vdso.so.1 shortcut.
It would be possible to see accesses to /dev/[u]random and readdir syscalls.
I have also played a bit with ptrace-based
https://github.com/dettrace/dettrace
but it needed regular updates as Linux keeps introducing new syscalls.
Ciao
Bernhard M.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220825/6c3ac4fb/attachment.sig>
More information about the rb-general
mailing list