Hi Vagrant, On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote: > Philipp Kern asked about trying to do reproducible builds checks for > recent security updates to try to gain confidence about Debian's buildd > infrastructure, given that they run builds in sid chroots which may have > used or built or run a vulnerable xz-utils... > > So far, I have not found any reproducibility issues; everything I tested > I was able to get to build bit-for-bit identical with what is in the > Debian archive. > > I only tested bookworm security updates (not bullseye), and I tested the > xz-utils update now present in unstable, which took a little trial and > error to find the right snapshot! The build dependencies for Debian > bookworm (a.k.a. stable) were *much* easier to satisfy, as it is not a > moving target! > > > Debian bookworm security updates verified: > > cacti iwd libuv1 pdns-recursor samba composer fontforge knot-resolver > php-dompdf-svg-lib squid yard > > Not yet finished building: > > openvswitch > > Did not yet try some time and disk-intensive builds: > > chromium firefox-esr thunderbird > > Debian unstable updates verified: > > xz-utils > > > A tarball of build logs (including some failed builds) and .buildinfo > files is available at: > > https://people.debian.org/~vagrant/debian-security-rebuilds.tar.zst > > > Some caveats: > > Notably, xz-utils has a build dependency that pulls in xz-utils, and the > version used may have been a vulnerable version (partly vulnerable?), > 5.6.0-0.2. > > The machine where I ran the builds had done some builds using packages > from sid over the last couple months, so may have at some point run the > vulnerable xz-utils code, so is not absolutely cleanest of > checks... but is at least some sort of data point. > > The build environment used tarballs that had usrmerge applied (as it is > harder to not apply usrmerge these days), while the buildd > infrastructure chroots do not have usrmerge applied. But this did not > appear to cause significant problems, although pulled in a few more perl > dependencies! > > > I used sbuild with the --chroot-mode=unshare mode. For the xz-utils > build I used some of the ideas developed in an earlier verification > builds experiment: > > > https://salsa.debian.org/reproducible-builds/debian-verification-build-experiment/-/blob/e003ddf19de13db2d512c25417e4bec863c3a082/sbuild-wrap#L71 > > > Was great to try and apply Reproducible Builds to real-world uses!
Thanks a lot for doing this verification work! There would be an upcoming (or actually postponed) util-linux update as well. Could you as extra paranoia please verify these here as well (I assume its enough for you that the source package is signed, I stripped the signature from the changes): https://people.debian.org/~carnil/tmp/util-linux/ Regards, Salvatore
