Arch Linux minimal container userland 100% reproducible - now what?
John Gilmore
gnu at toad.com
Tue Apr 2 17:11:27 UTC 2024
James Addison wrote that local storage can contain errors. I agree.
> My guess is that we could get into near-unsolvable philosophical territory
> along this path, but I think it's worth being skeptical of the notions that
> local-storage is always trustworthy and that the network should always be
> avoided.
For me, the distinction is that the local storage is under the direct
control of the person trying to rebuild, while the network and the
servers elsewhere in the network are not. If local storage is
unreliable, you can fix or replace it, and continue with your work.
I am looking for reproducibility that is completely doable by the person
trying to do it, at any time after when they obtain a limited number of
key items by any means: the bootable binary of the OS release, and what
the GPL calls the "Corresponding Source".
And, I am very happy to be seeing lots of incremental progress along the way!
John
PS: I have a local archive of the source ISO images and the binary ISO
images of many Ubuntu, Fedora, Debian, BSD, etc releases. It all fits
easily on a single hard disk drive, and that drive has many backups from
different times. The images all have checksums that were checked when I
obtained the images. The checksums are in the backups, so I can see if
my copies were tampered with or merely suffered from storage degradation
over time.
And I can easily copy the whole thing and send you a copy, if you want
one; or put it on the Internet (some of the releases are available from
me now via BitTorrent). If those distros were reproducible, I could
verify that each of those binary releases was untampered. Or YOU could,
without my help, after you got a copy from me or from anyone. And if
you suspected a binary Ken Thompson attack, you could use those releases
locally at your site, as the source material for an arbitrarily intense
diverse double-compilation check. Without my help, and without the help
of anyone else on the Internet.
In short, making a local archive of reproducible binaries and their
corresponding sources, readily enables all the verifications that we are
trying to make common in the world.
More information about the rb-general
mailing list