On 11/2/16 8:43 PM, Jim Cheetham wrote: > Quoting john hood (2016-11-02 18:45:17) >> This isn't going to happen instantly. One approach to the trust issue >> here might be to just cop out-- stop doing OS X package builds and tell >> people to build their own, until we get this stuff into better shape. > > That probably doesn't really help - just because you can't have a 'perfect' > build environment doesn't mean that the world is a better place if you have > none :-) > > Transparency is the first part: whatever your build method is, make sure it > is described so that potential users can make up their own minds about the > risks. > > Then add as much accountability as possible, in terms of build logs and any > artefacts like that, in case someone else can spot a problem that you didn't > see on a particular given run. That is also helpful in terms of build quality > itself, not just the security issues. > > As long as there is a viable path for an end-user to take from the source to > a binary without trusting anything else from you, that's great. Some products > (e.g. TrueCrypt) were exceptionally difficult to build, which was a problem. > > A repeatable build environment with a transparent trusted process? Probably > not going to happen in the OS X world very easily, so just take steps to get > closer :-)
It took a while but I've gotten someplace useful with this. I improved the Travis package build to better report its components and environment, and the result can be seen at <https://github.com/mobile-shell/mosh/pull/822> along with links to a sample build. It appears that deterministic builds are Not Possible with the Xcode toolchain-- apparently the linker is threaded and puts things together in an unpredictable order. The bitcoin folks have managed to get deterministic builds, but that requires cross-compiles on Linux VMs with various tools assembled from various places, and some of the tools are apparently fairly broken. So I've put that aside for now. I would certainly appreciate comments on how that build looks-- it certainly reports things, and produces hashes on build products to add some traceability, but I'm sure it can be improved. regards, --jh
signature.asc
Description: OpenPGP digital signature
_______________________________________________ mosh-devel mailing list mosh-devel@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-devel
