[HN Gopher] Running an independent Arch Linux rebuilder ___________________________________________________________________ Running an independent Arch Linux rebuilder Author : kpcyrd Score : 43 points Date : 2020-04-21 21:48 UTC (1 hours ago) (HTM) web link (lists.reproducible-builds.org) (TXT) w3m dump (lists.reproducible-builds.org) | eindiran wrote: | Based on my reading of this Arch wiki page[0], it looks like this | doesn't impact packages in the AUR. Does anyone who is more | familiar with this know if that is true? It appears that it does | work for community packages though (see the bottom of this | page[1]). | | [0] https://wiki.archlinux.org/index.php/Rebuilderd | | [1] | https://wiki.archlinux.org/index.php/Rebuilderd#Syncing_pack... | tomjakubowski wrote: | AUR packages are source only so there's no binary package that | is distributed to be verified. | serf wrote: | that's only mostly true. | | take for example the aur package for MS fonts; | https://aur.archlinux.org/packages/ttf-ms-fonts/ | | all it does is download a ton of microsoft corefont | executables to unpack. | | another example would be the proprietary driver packages, | like the nvidia ones. | banachtarski wrote: | proprietary drivers from nvidia are provided by the Arch | mainline (core) though? | serf wrote: | right you are, i've been on beta for years and had | forgotten. | | point still stands, aur does distribute executables once | in awhile. | tomjakubowski wrote: | This is a question of the artifacts distributed as part of | Arch Linux, the tar.xz packages. The idea is to be able to | reproducibly build a package from source (where "source", | yes, may include binary assets and blobs), and check that | the copy you built matches what Arch distributes, byte for | byte. This way, you know the packager hasn't introduced | unexpected changes. | | Since end users build AUR packages themselves, there is | nothing distributed, and nothing to verify. | gerdesj wrote: | I think of the AUR packages as more like ebuilds with fewer | safety catches 8) | Foxboron wrote: | >Based on my reading of this Arch wiki page[0], it looks like | this doesn't impact packages in the AUR. | | Yes. AUR is excluded from reproducible builds because it only | provides build scripts and not actual packages. There is | nothing to reproduce. One surely could make a repo and compare | results, but it would frankly be a bit futile considering the | general package quality there. | usr1106 wrote: | The wiki says: | | > a large number of builds are not reproducible yet | Foxboron wrote: | Yes. But a staggering amount of packages in the main [core] | repository is still fully reproducible by independent parties | if tools are run. | | https://wiki.archlinux.org/index.php/DeveloperWiki:Reproduci... | | It's still very much a work in progress. | elagost wrote: | This is fantastic to see. Reproducible builds adds yet another | layer of trust on top of open source software. The wiki page is | also classic Arch Wiki-style, with all the detail one would | expect. Every OSS project should strive to be this helpful. | Foxboron wrote: | I never got around to submitting my blog to HN. But if people are | curious about some technical details of the underlying problems | of reproducing Arch Linux packages I wrote something a few months | ago. | | https://linderud.dev/blog/reproducible-arch-linux-packages/ | richardwhiuk wrote: | Debian have done a huge amount of work in this area - | https://wiki.debian.org/ReproducibleBuilds | Bnshsysjab wrote: | I care more about if maintainers actually audit the contents of | packages rather than if their builds are reproducible (though the | latter still matters)! | | Not just is there obvious malware, but also are there obvious | vulnerabilities, is the person that wrote it of good nature / | located in a country where they're safe from nation state | pressure, is there a lot of history behind the app. | | Obviously this is too much work for any individual and requires a | chain of trust. I believe fedora and Ubuntu at the very least | audit to some extent but I've never seen any doco. | andr0x wrote: | Just curious, are you saying there is obvious malware within | the Arch official repositories? Are you referring to instead | the user repositories (AUR)? | | I know Arch has: | https://wiki.archlinux.org/index.php/Arch_Security_Team | | but I'd be really interested to hear that the official packages | have obvious malware. ___________________________________________________________________ (page generated 2020-04-21 23:00 UTC)