Reproducible Builds for recent Debian security updates

Salvatore Bonaccorso carnil at debian.org
Sat Mar 30 11:06:35 UTC 2024 

Hi Vagrant,

On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
> Philipp Kern asked about trying to do reproducible builds checks for
> recent security updates to try to gain confidence about Debian's buildd
> infrastructure, given that they run builds in sid chroots which may have
> used or built or run a vulnerable xz-utils...
> 
> So far, I have not found any reproducibility issues; everything I tested
> I was able to get to build bit-for-bit identical with what is in the
> Debian archive.
> 
> I only tested bookworm security updates (not bullseye), and I tested the
> xz-utils update now present in unstable, which took a little trial and
> error to find the right snapshot! The build dependencies for Debian
> bookworm (a.k.a. stable) were *much* easier to satisfy, as it is not a
> moving target!
> 
> 
> Debian bookworm security updates verified:
> 
>   cacti iwd libuv1 pdns-recursor samba composer fontforge knot-resolver
>   php-dompdf-svg-lib squid yard
> 
> Not yet finished building:
> 
>   openvswitch
> 
> Did not yet try some time and disk-intensive builds:
> 
>   chromium firefox-esr thunderbird
> 
> Debian unstable updates verified:
> 
>   xz-utils
> 
> 
> A tarball of build logs (including some failed builds) and .buildinfo
> files is available at:
> 
>   https://people.debian.org/~vagrant/debian-security-rebuilds.tar.zst
> 
> 
> Some caveats:
> 
> Notably, xz-utils has a build dependency that pulls in xz-utils, and the
> version used may have been a vulnerable version (partly vulnerable?),
> 5.6.0-0.2.
> 
> The machine where I ran the builds had done some builds using packages
> from sid over the last couple months, so may have at some point run the
> vulnerable xz-utils code, so is not absolutely cleanest of
> checks... but is at least some sort of data point.
> 
> The build environment used tarballs that had usrmerge applied (as it is
> harder to not apply usrmerge these days), while the buildd
> infrastructure chroots do not have usrmerge applied. But this did not
> appear to cause significant problems, although pulled in a few more perl
> dependencies!
> 
> 
> I used sbuild with the --chroot-mode=unshare mode. For the xz-utils
> build I used some of the ideas developed in an earlier verification
> builds experiment:
> 
>   https://salsa.debian.org/reproducible-builds/debian-verification-build-experiment/-/blob/e003ddf19de13db2d512c25417e4bec863c3a082/sbuild-wrap#L71
> 
> 
> Was great to try and apply Reproducible Builds to real-world uses!

Thanks a lot for doing this verification work!

There would be an upcoming (or actually postponed) util-linux update
as well. Could you as extra paranoia please verify these here as well
(I assume its enough for you that the source package is signed, I
stripped the signature from the changes):

https://people.debian.org/~carnil/tmp/util-linux/

Regards,
Salvatore

More information about the rb-general mailing list