Debian must ship reproducible packages

Posted by robalni 6 hours ago

Debian must ship reproducible packages(lists.debian.org)

180 points | 62 commentspage 2

shevy-java 5 hours ago|

A small step for debian,

giant leap for mankind.

stingraycharles 5 hours ago|

As someone who recently spent a lot of time on making a large C++ program entirely reproducible on 4 different OS’es, one cannot understate just how many tiny details matter here.

gjvc 2 hours ago||

"overstate"

stingraycharles 1 hour ago||

Whoops, yes. Well I hope the point came across anyway.

cyh555 1 hour ago||

it's funny that as a non-native speaker, I have to check with Gemini about how "cannot overstate" is used

I also asked Gemini whether we express ourselves that way in my mother tongue (Mandarin), and yes, we do, but it came off as being too formal way of speaking. We don't normally use it (I'm not from China/Taiwan though)

idovmamane 2 hours ago||

[dead]

charcircuit 2 hours ago||

So much time has been wasted on reproducible builds which could have better spent on securing more important parts of Debian. Practically minor changes like a build timestamp being different is not an issue.

farfatched 9 minutes ago||

Yes, making sure build timestamps are reproducible isn't a security win.

What is a win is that two independent parties can run the same build, and get the same binaries.

This is important because it removes trust from builders: anyone can verify their output.

It just so happens that unimportant things like build versions impede that.

Hendrikto 57 minutes ago||

It allows verifying that the binaries actually match the source, which is extremely valuable.

kkfx 4 hours ago||

Debian, like any other legacy distro, mush became declarative, because the '80s model of manual deploy and the absurd pain of D/I and Preseed must end.

farfatched 7 minutes ago||

I've been 100% on NixOS on many years, but it's Debian that really drove this project.

They're still a pragmatic choice for many usecases.

kakwa_ 2 hours ago|||

In the end, Nix is just a thin veneer on this stuff.

Given how many quick & dirty sed patching or exec commands I've seen in the few nix package/modules I've read, I would not exactly bet my life on it being completely idempotent & reproducible.

suprjami 56 minutes ago||

bootcrew have bootc Containerfiles for Debian, Ubuntu, Arch, and openSUSE:

https://github.com/bootcrew/mono

blueflow 6 hours ago|

zero improvement on end-user experience. does not solve supply chain issues, debian package will reproducabily contain the malware from upstream.

quantummagic 5 hours ago||

> zero improvement on end-user experience.

Maybe not by itself, but it does allow for the ecosystem to be audited, in a way that ultimately benefits the end-user. It really is an important part of a healthy supply chain.

PunchyHamster 2 hours ago|||

no problem in Debian since the start of the effort would be solved by reproductible builds

This is nice pat yourself on the back achievement for people that prefer security theatre and checking boxes than doing something actually useful, and they wasted thousands man hours of poor victims that had to implement it

miohtama 4 hours ago|||

[flagged]

LtWorf 2 hours ago|||

NK isn't the hostile superpower I'm most concerned about.

testdelacc1 4 hours ago|||

While taking no stance on your statement, I think “fewer” works better in this context than “less”.

gjvc 2 hours ago||

"fewer" when the measure is discrete, "less" when it is continuous

hiAndrewQuinn 5 hours ago|||

This is some of the best news I've heard recently when it comes to figuring out how to produce high quality Software Bills of Materials for the upcoming EU Cyber Resilience Act, for what it's worth. Reproducible packages are actually worth a great deal when you are selling products with digital elements. Much easier to scan through, audit, etc. with confidence.

rlpb 6 hours ago|||

Debian has had a better "software supply chain" posture than any other player in the ecosystem since before the turn of the century. While we all face the risk of malware from upstream, Debian is the least at risk of being affected by it. See for example the stream of issues from npm et al. None of it has affected Debian.

suprjami 52 minutes ago|||

You do remember the xz-utils backdoor was found in Sid right?

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

alkindiffie 5 hours ago|||

> for example the stream of issues from npm et al.

Curious, what distros where affected by npm supply chain attacks?

throw_a_grenade 3 hours ago||

It's npm that's affected, therefore it's not even considered when choosing language/ecosystem for writing distro tools. You'll find no sane distro writing package manager in javascript precisely to avoid this joke of a supply chain.

cxr 10 minutes ago|||

ECMA-262 doesn't require the use of NPM or NodeJS. (In fact, they are at odds, even 10+ years after modules were standardized in ES6.)

skydhash 34 minutes ago|||

I quite like the OpenBSD approach to Go and Rust projects in ports. They store all the dependencies and their hashes in the build recipe, not trusting the project ones. And they’re more readable.

Here is jujutsu’s list of dependencies[0] and their hashes[1]. As an aside, that’s why I don’t like those packages managers. Something like Python’s numpy or lib curl, get sliced into atomic portions.

[0]: https://github.com/openbsd/ports/blob/master/devel/jujutsu/c...

[1]: https://github.com/openbsd/ports/blob/master/devel/jujutsu/d...

iveqy 5 hours ago|||

It does not solve all supply chain issues, it do solve some supply chain issues.

Not being able to see if the source code shipped is the same as been used for creating the binary is scary

murderfs 4 hours ago||

Has there been a single publicly known attack that would have been prevented by this?

MomsAVoxell 1 hour ago|||

Why should it only be valuable if the effects were to be publicly known?

There are plenty of places in industrial computing where reproducible builds have prevented subterfuge within the organizations themselves. Injecting binaries to do inf-/exfiltration is a long-standing industrial espionage activity which is of immense value to all users of the operating system - not just the consumer users.

PunchyHamster 2 hours ago||||

Zero in Debian. They have enough other procedures to catch it.

Less diligent projects had it but there are easier ways to fix it

LtWorf 2 hours ago|||

Several actually. Pypi is regularly targeted in this way.

PunchyHamster 2 hours ago|||

Hasn't happened in Debian

MomsAVoxell 1 hour ago||

“Hasn’t happened” is quite naive. It happens internally - putting unscrupulous code in a company’s distro before torching the place is a surprisingly regular occurrence in places which have long since adopted Debian as a platform host. IT departments around the globe will benefit from this immensely.

charcircuit 1 hour ago|||

But how many of those attackers also had the ability to publish a github commit but didn't to remain more stealthy.

LtWorf 13 minutes ago||

This question is meaningless. Attackers will pick the best attack if they have more at their disposal. The fact that they didn't push a commit shows it's better not to. So closing that attack is good.

MomsAVoxell 1 hour ago|||

Who is this mythical end user? Reproducible builds are good for everyone - not just the average joe.

atoav 5 hours ago|||

If you find yourself holding opinions of the kind: "If it can't be made perfect, it shouldn't be changed at all?" you may want to consider that most things that work well today were incrementally improved.

Reproducable builds are not solving all issues as you rightly observed, but they can be a stepping stone (or even a pre-condition) for further measures.

mschuster91 5 hours ago|||

That's not what reproducible builds aim to prevent, and no one claims that. When upstream pushes bad code, that's on upstream.

The thing reproducible builds aim to prevent is Debian or individual developers and system administrators with access rights to binary uploads and signing keys to get forced to sign and upload binary packages by attackers - be these governments (with or without court orders) or criminal organizations.

As of now, say if I were an administrator of Debian's CI infrastructure, technically there would be nothing preventing me from running an "extra" job on the CI infrastructure building a package for openssh with a knock-knock backdoor, properly signing it and uploading it to the repository. For someone to spot the attack and differentiate it, they'd have to notice that there is a package in the repository that has no corresponding build logs or has issues otherwise.

But with reproducible builds, anyone can set up infrastructure to rebuild Debian packages from source automatically and if there is a mismatch with what is on Debian's repository, raise alarm bells.

ownagefool 3 hours ago||

Reproducible builds shows that, within a specific configuration, the code produced the binary, regardless of who signed or published it.

Indeed, this could mitigate an attacker replacing the binary with something that's not produced from the code, but it does not mitigate the tool chain or code itself containing the exploit, creating a malicious binary.

shevy-java 5 hours ago|||

Well - reproducible also means code guarantee. It may not improve an end-user experience directly, but you get an extra quality control step, as guarantee, here. I think reproducibility is great. If we can achieve that, it should be achieved. See also NixOS; it can guarantee that snapshot xyz works, not just for one user, but ALL users. I see it as hopping from guarantee to guarantee. That's actually a good thing in the long run. Just think differently here.

otabdeveloper4 2 hours ago||

> zero improvement on end-user experience

The end-user experience is that now you can host your Debian binaries in caches and CDNs without worrying about supply chain hackers.

You can verify that file hashes match the ones on Debian's website and sleep much better at night.

If you don't trust Debian's website then you can rebuild yourself and check if Debian has been compromised.

tremon 49 minutes ago||

You could already do that since Debian cryptographically signs all its package indexes, and the indexes contain the hash of all packages. The additional guarantee that reproducible builds bring is that you can re-build the packages in your own controlled environment and verify that the resulting package is bit-for-bit identical to what Debian offers.