Ubuntu構建具有確定性嗎?為什麼不?


2

Ubuntu是否具有確定性?我以為是這樣,也就是說,如果我是recreate the process of building Ubuntu installation media,我將獲得與Ubuntu鏡像相同的映像(逐位,具有相同的校驗和)。

Joanna Rutkowska(Qubes OS發行版的首席開發人員)最近的post建議並非如此:

currently most projects, including all Linux distributions, do not build deterministically

為什麼不呢?

-1

For starters, I don't think Rutkowska was talking about building installation media deterministically, but about packages (deb, rpm).

Debian is working on building packages reproducibly (https://wiki.debian.org/ReproducibleBuilds) but there are still lots of packages that don't build that way...

Building a whole distribution deterministically surely is even more of a challenge.


0

No they're not. Let's clarify a distinction here,

  • Does the system support "reproducible builds"?

    Yes all systems support packages that are deterministic.

  • Does the system enforce "reproducible builds"?

    Nope, though it does help diagnose problems, and works is being done to make packages reproducible -- bugs are being reported and handled anyway.

  • Is everything, without exception, reproducible?

    Not even close.

Now let's define "reproducible builds"

A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.

Now let's talk about what is required

Check out this page under "How" which lays down three criteria

  1. the build system needs to be made entirely deterministic: transforming a given source must always create the same result. Typically, the current date and time must not be recorded and output always has to be written in the same order.

  2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined.

  3. users should be given a way to recreate a close enough build 3., perform the build process, and verify that the output matches the original build.

You can find more documentation about all of that here.

As to why Ubuntu isn't currently reproducible, things like Perl currently fail because -V stores the compiler args for convenience -- they're waiting on GCC to patch this upstream. A lot of this functionality could simply nuked. Some other problems: some man pages and programs have the build dates compiled in, others compile in mutable paths to shared libraries and the like.

Not being reproducible isn't a problem or a vulnerability. It just makes it harder to verify that you haven't been tampered with, and currently that functionality is being viewed as more valuable.

You can follow Debian's progress towards determinism here