Reproducible Builds for recent Debian security updates
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 30 11:06:35 UTC 2024
Hi Vagrant,
On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
> Philipp Kern asked about trying to do reproducible builds checks for
> recent security updates to try to gain confidence about Debian's buildd
> infrastructure, given that they run builds in sid chroots which may have
> used or built or run a vulnerable xz-utils...
>
> So far, I have not found any reproducibility issues; everything I tested
> I was able to get to build bit-for-bit identical with what is in the
> Debian archive.
>
> I only tested bookworm security updates (not bullseye), and I tested the
> xz-utils update now present in unstable, which took a little trial and
> error to find the right snapshot! The build dependencies for Debian
> bookworm (a.k.a. stable) were *much* easier to satisfy, as it is not a
> moving target!
>
>
> Debian bookworm security updates verified:
>
> cacti iwd libuv1 pdns-recursor samba composer fontforge knot-resolver
> php-dompdf-svg-lib squid yard
>
> Not yet finished building:
>
> openvswitch
>
> Did not yet try some time and disk-intensive builds:
>
> chromium firefox-esr thunderbird
>
> Debian unstable updates verified:
>
> xz-utils
>
>
> A tarball of build logs (including some failed builds) and .buildinfo
> files is available at:
>
> https://people.debian.org/~vagrant/debian-security-rebuilds.tar.zst
>
>
> Some caveats:
>
> Notably, xz-utils has a build dependency that pulls in xz-utils, and the
> version used may have been a vulnerable version (partly vulnerable?),
> 5.6.0-0.2.
>
> The machine where I ran the builds had done some builds using packages
> from sid over the last couple months, so may have at some point run the
> vulnerable xz-utils code, so is not absolutely cleanest of
> checks... but is at least some sort of data point.
>
> The build environment used tarballs that had usrmerge applied (as it is
> harder to not apply usrmerge these days), while the buildd
> infrastructure chroots do not have usrmerge applied. But this did not
> appear to cause significant problems, although pulled in a few more perl
> dependencies!
>
>
> I used sbuild with the --chroot-mode=unshare mode. For the xz-utils
> build I used some of the ideas developed in an earlier verification
> builds experiment:
>
> https://salsa.debian.org/reproducible-builds/debian-verification-build-experiment/-/blob/e003ddf19de13db2d512c25417e4bec863c3a082/sbuild-wrap#L71
>
>
> Was great to try and apply Reproducible Builds to real-world uses!
Thanks a lot for doing this verification work!
There would be an upcoming (or actually postponed) util-linux update
as well. Could you as extra paranoia please verify these here as well
(I assume its enough for you that the source package is signed, I
stripped the signature from the changes):
https://people.debian.org/~carnil/tmp/util-linux/
Regards,
Salvatore
More information about the rb-general
mailing list