MCH2022: Reproducible Builds

May Contain Hackers 2022, NL

Arnout Engelen - @raboof@merveilles.town

## Who cares? ![who cares? developers and users alike!](images/whocares-1.svg) Note: groups: devs/users loosely: * anyone (individuals/teams) writing code distributing binaries, * anyone consuming those binaries Devs first Goal: binary user runs corresponds to the code dev wrote R-B: concept/technique, not particular tool or technology. ecosystems. Ask: Not obvious? well-known builds, signs, distributes.

![from code to shipping](images/pipeline-simple.svg) Note: software supply chain simplified r-b middle foul play assume: audited goal: malware-free binary not so simple

![from code to shipping](images/pipeline-libsandcode.svg) Note: Also trust other inputs such as libraries. How to trust? Turtles, ecosystem core idea of reproducible builds

![homebrew example](images/homebrew.png)

![from code to shipping](images/pipeline-attest.svg) Note: Independent Diverse Attest: hash Next: akka

![reproducible builds logo](images/r-b-icon.svg) Note: logo symbolizes happy: bit-by-bit identical - easy to verify equality different from 'repeatable'

![Akka logo](images/akka-full-color.svg) ![Akka jars](images/akka-maven.png) Note: Diverse: MacOS, Linux

# Why Not? * Compromised build infra * Build nondeterminisms Note: Sounds great! What's going on when not repro?

# Why Not? * Compromised build infra * Build nondeterminisms * Sometimes: insidious bugs! * Many 'accidental' differences Notes: * static private key * random seed

# Why not? Build timestamps ``` - V2.0-000..Wed·Feb·13·23:10:22·20 + V2.0-000..Wed·Mar·18·05:31:03·20 ``` [SOURCE_DATE_EPOCH](https://reproducible-builds.org/specs/source-date-epoch/)

# Why not? File ordering: ```diff return ( - '/usr/lib/jvm/java-8-openjdk/jre/lib/amd64/server', - '/usr/lib/jvm/java-8-openjdk/jre/lib/amd64/jli', '/usr/lib/jvm/java-8-openjdk/jre/lib/amd64', + '/usr/lib/jvm/java-8-openjdk/jre/lib/amd64/jli', + '/usr/lib/jvm/java-8-openjdk/jre/lib/amd64/server', ) ```

# Why not? * Dictionary/hash/database ordering * Build paths * Locale, timezone * Users, groups, umask, environment variables, etc. Notes: Nice additional advantage: find unintentional consequences on system properties Next: other advantages

# Additional advantages Build efficiency: ![bazel dependency graph](images/bazel.png) Notes: reproducibility improves cache, reduces unnecessary rebuilds Next: analysis

# Analysis [diffoscope](https://diffoscope.org) ``` $ diffoscope badge-firmware.bin /tmp/badge-firmware.bin │ │ 00055f10: 4275 696c 7420 6f6e test....Built on │ │ 00055f20: 2032 3031 392c 2031 : Feb 13 2019, 1 │ │ - 00055f30: 496e 6974 6961 6c69 5:48:24.Initiali │ │ + 00055f30: 496e 6974 6961 6c69 5:44:34.Initiali │ │ 00055f40: 2074 6573 7469 6e67 zing and testing ```

# Analysis [diffoscope](https://diffoscope.org) Android APK files, Android boot images, Ar(1) archives, Berkeley DB database files, Bzip2 archives, Character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, Cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, Directories, ELF binaries,....................

# Analysis buildinfo ![akka buildinfo](images/akka-maven-buildinfo.png) Notes: things that shouldn't but might impact reproducibility, like CPU? Concludes developer perspective. Q? Next: who cares?

## Who cares? ![who cares? developers and users alike!](images/whocares-1.svg) Notes: two groups of users

## Who cares? ![who cares? developers and users alike!](images/whocares-2.svg) Notes: Ask vendor. serious about security. SLSA supply-chain Levels for Software Artifacts, level 4. nice, do it, etc - but r-b shines and superpower in OSS look at pipeline

![from code to shipping](images/pipeline-attest.svg)

![from code to shipping](images/pipeline-attest-devonly.svg) Notes: * audit source code,

![from code to shipping](images/pipeline-attest-independent.svg) Notes: * audit source code, * independently reproduce * Huge deal * No trust dev infra and even teams/contributors, blackmail, coercion * Attack surface. I lied.

## Who cares? ![who cares? developers and users!](images/whocares-2.svg) Notes: Aside devs/users, third group r-b super interesting

## Who cares? ![who cares? also distro's!](images/whocares-3.svg) Notes: * build code * on behalf of users * lots of infrastructure * perfect use case for r-b

# Debian * Many packages reproducible * Work on live-build ISO images * `apt-transport-in-toto` Notes: Traditionally huge driving factor

# Arch * [pacman-bintrans](https://github.com/kpcyrd/pacman-bintrans)

# openSUSE * Great at upstreaming!

# Nix(OS) * Nice stable dependencies! * `nix-build -A hello --check` * _almost_ all of the minimal installer reproducible * [Trustix](https://github.com/tweag/trustix)

# Guix * Similar to Nix * `guix challenge` * Forerunner in [bootstrappable](https://bootstrappable.org) builds! Notes: Remember yellow box not only code? Minimize, no turtles.

# F-Droid * Reproduces 'under the hood', not surfaced in UI yet

# Tails * Reproducible (not systematically checked)

# What's next? Users: * Ask your vendors :D * See if your fave package is reproducible * No? Try it and [diffoscope](https://diffoscope.org)! Notes: * tough nuts to crack * also low-hanging fruit!

# What's next? Developers: * Reproduce your own builds [https://github.com/kpcyrd/i-probably-didnt-backdoor-this](https://github.com/kpcyrd/i-probably-didnt-backdoor-this) Notes: Takes you through a Rust project: * ELF binary * Docker image * Arch package

# What's next? Developers: * Reproduce your own builds * Check your upstreams * Empower your downstreams * Help your distro https://reproducible-builds.org Notes: Ton of super interesting work to do, different kinds of challenges. r-b.org 'hub', decentralized initiative Slides and video also there. Open up for questions and discussion!