hngopher.com

       [HN Gopher] Running an independent Arch Linux rebuilder
       ___________________________________________________________________
        
       Running an independent Arch Linux rebuilder
        
       Author : kpcyrd
       Score  : 43 points
       Date   : 2020-04-21 21:48 UTC (1 hours ago)
        
 (HTM) web link (lists.reproducible-builds.org)
 (TXT) w3m dump (lists.reproducible-builds.org)
        
       | eindiran wrote:
       | Based on my reading of this Arch wiki page[0], it looks like this
       | doesn't impact packages in the AUR. Does anyone who is more
       | familiar with this know if that is true? It appears that it does
       | work for community packages though (see the bottom of this
       | page[1]).
       | 
       | [0] https://wiki.archlinux.org/index.php/Rebuilderd
       | 
       | [1]
       | https://wiki.archlinux.org/index.php/Rebuilderd#Syncing_pack...
        
         | tomjakubowski wrote:
         | AUR packages are source only so there's no binary package that
         | is distributed to be verified.
        
           | serf wrote:
           | that's only mostly true.
           | 
           | take for example the aur package for MS fonts;
           | https://aur.archlinux.org/packages/ttf-ms-fonts/
           | 
           | all it does is download a ton of microsoft corefont
           | executables to unpack.
           | 
           | another example would be the proprietary driver packages,
           | like the nvidia ones.
        
             | banachtarski wrote:
             | proprietary drivers from nvidia are provided by the Arch
             | mainline (core) though?
        
               | serf wrote:
               | right you are, i've been on beta for years and had
               | forgotten.
               | 
               | point still stands, aur does distribute executables once
               | in awhile.
        
             | tomjakubowski wrote:
             | This is a question of the artifacts distributed as part of
             | Arch Linux, the tar.xz packages. The idea is to be able to
             | reproducibly build a package from source (where "source",
             | yes, may include binary assets and blobs), and check that
             | the copy you built matches what Arch distributes, byte for
             | byte. This way, you know the packager hasn't introduced
             | unexpected changes.
             | 
             | Since end users build AUR packages themselves, there is
             | nothing distributed, and nothing to verify.
        
             | gerdesj wrote:
             | I think of the AUR packages as more like ebuilds with fewer
             | safety catches 8)
        
         | Foxboron wrote:
         | >Based on my reading of this Arch wiki page[0], it looks like
         | this doesn't impact packages in the AUR.
         | 
         | Yes. AUR is excluded from reproducible builds because it only
         | provides build scripts and not actual packages. There is
         | nothing to reproduce. One surely could make a repo and compare
         | results, but it would frankly be a bit futile considering the
         | general package quality there.
        
       | usr1106 wrote:
       | The wiki says:
       | 
       | > a large number of builds are not reproducible yet
        
         | Foxboron wrote:
         | Yes. But a staggering amount of packages in the main [core]
         | repository is still fully reproducible by independent parties
         | if tools are run.
         | 
         | https://wiki.archlinux.org/index.php/DeveloperWiki:Reproduci...
         | 
         | It's still very much a work in progress.
        
       | elagost wrote:
       | This is fantastic to see. Reproducible builds adds yet another
       | layer of trust on top of open source software. The wiki page is
       | also classic Arch Wiki-style, with all the detail one would
       | expect. Every OSS project should strive to be this helpful.
        
       | Foxboron wrote:
       | I never got around to submitting my blog to HN. But if people are
       | curious about some technical details of the underlying problems
       | of reproducing Arch Linux packages I wrote something a few months
       | ago.
       | 
       | https://linderud.dev/blog/reproducible-arch-linux-packages/
        
       | richardwhiuk wrote:
       | Debian have done a huge amount of work in this area -
       | https://wiki.debian.org/ReproducibleBuilds
        
       | Bnshsysjab wrote:
       | I care more about if maintainers actually audit the contents of
       | packages rather than if their builds are reproducible (though the
       | latter still matters)!
       | 
       | Not just is there obvious malware, but also are there obvious
       | vulnerabilities, is the person that wrote it of good nature /
       | located in a country where they're safe from nation state
       | pressure, is there a lot of history behind the app.
       | 
       | Obviously this is too much work for any individual and requires a
       | chain of trust. I believe fedora and Ubuntu at the very least
       | audit to some extent but I've never seen any doco.
        
         | andr0x wrote:
         | Just curious, are you saying there is obvious malware within
         | the Arch official repositories? Are you referring to instead
         | the user repositories (AUR)?
         | 
         | I know Arch has:
         | https://wiki.archlinux.org/index.php/Arch_Security_Team
         | 
         | but I'd be really interested to hear that the official packages
         | have obvious malware.
        
       ___________________________________________________________________
       (page generated 2020-04-21 23:00 UTC)