[tahoe-dev] reproducible builds for Tahoe-LAFS: where do we start?

Sat Aug 31 14:12:07 UTC 2013

Folks:

Here's some recent news:

http://m.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html

That article says that the U.S. espionage agencies have
surreptitiously installed sophisticated malware on tens of thousands
of remote machines, and have plans to increase that number into the
millions.

It is important to remember that while the U.S. espionage
establishment is the one that is currently having its activities and
plans exposed, it is not the only one of its kind. It is safe to
assume that there are many other organizations with similar
capabilities engaged in similar activities. It is also likely that
some of those groups are engaged not in warfare but in industrial
espionage or other kinds of theft or sabotage.

In this modern world, it would be very useful if you could check
whether the binaries that you are running are the same as the binaries
that other people are running that were ostensibly built from the same
source code.

That way, implanted malware would be more likely to be exposed. This
is the idea of "reproducible builds", as championed by Tor ¹, Bitcoin
², and Debian ³
. LWN.net recently had a nice overview article about
this: ⁴.

Now: how do we start? We have a trac ticket:

https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2057# reproducible builds

But I don't understand what the next step on the path to really
protecting users. The situation we're considering here is that a user
is installing Tahoe-LAFS, for example by running "sudo apt-get install
tahoe-lafs" on Debian, and the computer that was used to build the
tahoe-lafs Debian package had malware running on it, that inserted a
backdoor into the tahoe-lafs Debian package. How can we help users to
defend against that?

There are lots of other packagers which provide installable versions
of Tahoe-LAFS to their users. For example, the "pkgsrc/NetBSD" system
⁵, whose Tahoe-LAFS package is maintained by Greg Troxel, who reads
this mailing list.

If you click on the big friendly blue "Download Tahoe-LAFS" button on
the front page of https://Tahoe-LAFS.org, it takes you to a menu of
packages provided by different free-and-open-source operating systems.

One thing that worries me about this issue is that it is one of those
things were different open source projects can reasonably assume that
it is Someone Else's Problem to fix this. I've often seen this: when
there is an issue that spans multiple open source projects, that it is
hard to make progress on that issue, since every open source project
has a theory of how it ought to be fixed by some other open source
project taking responsibility for it.

So what can we do to push on this issue now?

Regards,

Zooko

¹ https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise

² https://en.bitcoin.it/wiki/Release_process

³ https://wiki.debian.org/ReproducibleBuilds

⁴ http://lwn.net/Articles/564263/

⁵ ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/filesystems/tahoe-lafs/README.html