Opened 13 months ago

Last modified 13 months ago

#26813 new enhancement

Modify about:buildconfig to include reproducible build information

Reported by: tom Owned by: tbb-team
Priority: Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While reading the Hacking doc, I saw the following:

Be aware that this process is not fully future-proof. In particular, if Debian has updated their development tool chain since the bundles have been built, you may encounter differences between your resulting bundles and the original binaries. This should be rare, however, as we use only the "Long Term Support" or "Oldstable" of Debian in our build VMs. The only reason they should change the tool chain is in the event of serious security issues in the development tools themselves.

It seems like it would be advantageous to include a bunch of (additional) information in about:buildconfig to allow fully reproducing (or at least comparing) builds, such as git tags/commits and information about reproducible build environment, such as the versions of packages.

Child Tickets

Change History (1)

comment:1 Changed 13 months ago by boklm

Currently we install the latest package udpates available at the time when we generate the build containers. It is possible that some update cause the build to be different, but for most updates this does not change our build. However if we include the versions of all packages in about:buildconfig it will cause the build to be different for any minor package update.

If we want to avoid possible issues caused by package updates, we could use http://snapshot.debian.org/ to only install updates from a specific date.

Note: See TracTickets for help on using tickets.