[Tails-dev] Help us build Tails 3.2~alpha1 build reproducibl…

Nachricht löschen

Nachricht beantworten
Autor: anonym
Datum:  
To: tor-dev, tor-talk, tails-dev, rb-general
Neue Treads: [Tails-dev] Let's build Tails 3.2~alpha2 instead! [Was: Help us build Tails 3.2~alpha1 build reproducibly]
Betreff: [Tails-dev] Help us build Tails 3.2~alpha1 build reproducibly
Dear Tails and Tor contributors,
dear Reproducible Builds community,

We have sent out a first call [1] for testing to build Tails 3.1 reproducibly
and we have received some build reports. Thank you very much for your help! We
have since then tried to fix most of the identified issues [2] in Tails
3.2~alpha1, and thus we'd kindly like to ask you to try to build the new ISO
image again, or even for the first time. Please don't hesitate to contact us
if you get stuck at some point in the process, for example by connecting to our
chatroom [3]! You can also send us email to tails-dev at boum.org (public) or
tails at boum.org (private).

Note that Tails 3.2~alpha1 is *not* recommended for real usage, since it has
not gone through *any* QA. Please use Tails 3.1 instead until Tails 3.2 is
released!

# How?

For your convenience all instructions needed to attempt to reproduce
Tails 3.2~alpha1 are included hereafter. However all commands are
adapted for Debian Stretch (and Buster/Sid), so your results may vary if
you run another Linux distribution. Our full build instructions [4]
might help if you are having problems.

## Setup the build environment

Building Tails requires the KVM virtual machine hypervisor to be
available, a minimum of 1 GiB of free RAM and a maximum of 20 GB of
free storage.

### Install dependencies

    sudo apt-get install \
        git \
        rake \
        libvirt-daemon-system \
        dnsmasq-base \
        ebtables \
        qemu-system-x86 \
        qemu-utils \
        vagrant \
        vagrant-libvirt \
        vmdebootstrap && \
    sudo systemctl restart libvirtd


### If building as a non-root user

(Skip this section if you intend to build Tails as the root user!)

Make sure that the user that is supposed to initiate the build is part
of the relevant groups:

    for group in kvm libvirt libvirt-qemu; do sudo adduser $user $group; done


Then run `newgrp` (or just reboot) to apply the new group memberships
to the session.

## Build Tails 3.2~alpha1

    git clone https://git-tails.immerda.ch/tails
    cd tails
    git checkout 3.2~alpha1
    git submodule update --init
    rake build


# Send us feedback!

No matter how your build attempt turned out we are interested in you
sending us feedback. For that we'll first need some information of the
system you used -- please run these commands in the exact same
terminal session that you ran `rake build` in (e.g. run them right
after `rake build`)!

    sudo apt install apt-show-versions || :
    (
      for f in /etc/issue /proc/cpuinfo
      do
        echo "--- File: ${f} ---"
        cat "${f}"
        echo
      done
      for c in free locale env 'uname -a' '/usr/sbin/libvirtd --version' \
                'qemu-system-x86_64 --version' 'vagrant --version'
      do
        echo "--- Command: ${c} ---"
        eval "${c}"
        echo
      done
      if which apt-show-versions >/dev/null
      then
        echo '--- APT package versions ---'
        apt-show-versions qemu:amd64 linux-image-amd64:amd64 vagrant \
                          libvirt0:amd64
      fi
    ) | bzip2 > system-info.txt.bz2


Please have a look at the generated file with

    bzless system-info.txt.bz2


to make sure it doesn't contain any sensitive information you do not
want to leak in case you send this file to us or make it public!

Next, please follow the instructions below that match your situation!

## If the build failed.

Please open a ticket on our bug tracker [5] with "Category" set to
"Build system" and `system-info.txt.bz2` attached (note that this makes
this file public).

## If the build succeeded ...

Please compute the SHA-512 checksum of the resulting ISO image:

    sha512sum tails-amd64-3.2~alpha1.iso


and compare it to:

    1c928336264fc44821562f2fffbda4da97dcdc38072fce58f55b749fde04ac60055273cfc021b6c57120c5d276980859ffa3a5b0bd0f9c98851f34b682a09b02  tails-amd64-3.2~alpha1.iso


Bonus points if you verify the signed (with: [8]) message containing
the checksum below (note that manually inserted line-wraps marked with
"`\`"). If you run Tails, the verification is very easy! :) [9]

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

    $ sha512sum tails-amd64-3.2~alpha1.iso
    1c928336264fc44821562f2fffbda4da97dcdc38072fce58f55b749f \
    de04ac60055273cfc021b6c57120c5d276980859ffa3a5b0bd0f9c98 \
    851f34b682a09b02  tails-amd64-3.2~alpha1.iso


-
### ... and the checksums match (i.e. reproduction succeeded).

Congrats for successfully reproducing Tails 3.2~alpha1! Please send an email
to tails-dev at boum.org (public) or tails at boum.org (private) with the
subject "Reproduction of Tails 3.2~alpha1 successful" and attach
`system-info.txt.bz2` to it.

### ... and the checksums differ (i.e. reproduction failed).

Now you are in a great position to help Tails improve its
reproducibility! Please install
`diffoscope` [7] version 83 or higher. If you
run Debian Stretch, that is:

    echo 'deb http://ftp.debian.org/debian stretch-backports main' \
      | sudo tee /etc/apt/sources.list.d/stretch-backports.list && \
    sudo apt update && \
    sudo apt -o APT::Install-Suggests="true" \
             -o APT::Install-Recommends="true" \
             install diffoscope -t stretch-backports


Then download the official Tails 3.2~alpha1 ISO image [6] and compare it
to yours:

    diffoscope \
        --text diffoscope.txt \
        --html diffoscope.html \
        --max-report-size 262144000 \
        --max-diff-block-lines 10000 \
        --max-diff-input-lines 10000000 \
            path/to/official/tails-amd64-3.2~alpha1.iso \
            path/to/your/tails-amd64-3.2~alpha1.iso && \
    bzip2 diffoscope.*


Please send an email to tails-dev at boum.org (public) or tails at boum.org
(private) with the subject "Reproduction of Tails 3.2~alpha1 failed" and
attach `system-info.txt.bz2` to it. We also want you attach one (the
smallest!) of `diffoscope.txt.bz2` and `diffoscope.html.bz2` to the email,
but if they are "big" (say >100 KiB) then please don't bomb our mail
inboxes! Instead upload the file to some web-based file-sharing
service (we recommend RiseUp [10]) and include the link(s) in the email.

Thank you very much for your interest and help!

Cheers!
The Tails project

[1] https://mailman.boum.org/pipermail/tails-dev/2017-August/011591.html
[2] https://labs.riseup.net/code/issues/13624
https://mailman.boum.org/pipermail/tails-dev/2017-March/011297.html
[3] https://tails.boum.org/support/#talk
[4] https://tails.boum.org/contribute/build
[5] https://labs.riseup.net/code/projects/tails/issues/new
[6] http://dl.amnesia.boum.org/tails/alpha/tails-amd64-3.2~alpha1/
https://mirrors.wikimedia.org/tails/alpha/tails-amd64-3.2~alpha1/
https://mirrors.kernel.org/tails/alpha/tails-amd64-3.2~alpha1/
[7] https://diffoscope.org/
[8] https://tails.boum.org/tails-signing.key
[9] https://tails.boum.org/doc/encryption_and_privacy/gpgapplet/decrypt_verify/
[10] https://share.riseup.net/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUrafEKOweFrQWvtHHYTM8BDMW8cFAlmxuZIACgkQHYTM8BDM
W8fBag/+PlnYIFIfxf4KbPh97Tm9hrNlC6bJp5uTC+6WebBamVsEDekQXnXRzEtF
wN4btdFG7MJuLHocSqeiV7gX33A07+KaugqCjQ4NJcVkZ6L9HPK6a1bjn9909EWw
l/Cfn0NxaSkfGLhOsk2wFOm2BHU890But+j3bOPOU61JNMVUpwiHUbN2DS1xDK2X
ZKE0dlOP3O4TC7kee7rRy6PFUVQx0eQkVW+1qrcusEeHEkc/Z6YzuLmNBdcHJ96m
/OfkEi4ygY6l9j0B8z4O/vqPkyeU5VWQWwhhnETvJiSDqs5WNLDuttHOsumP0r29
sluAmicjNoM48mWJHwiyLYnEt5SfFHXOqHXPP1k5YzTOMLRfv/F2eH4Zoq/eI8TM
sJy2MO+MgShH8SAOe1vJMBlV9Jqs6t85eToQt+39RFCCn4geyEYlynrk2Ka2hE3n
ycn2Qa79nbNK8NJve+1rPZTiJq3lgYyXTYyb8chefKyWm1IsAdY8grS0UIYP44Po
KAApudKD75DuCf6qczkOChVeAOcABu63RmAJLnJTYnEwGf7JLJ+KHrCdq0FQQS8s
/PulDSSDZo9bhLAHx9tO2T6p2snJfZSf9/dmvM5H+kOlMwzY8GciCgN6wlluwlnU
5WMfAMYT5mhuKIH/WIU5BXlKuUj1MuOi0c64q2MQM2GByJ6SOa8=
=6m+4
-----END PGP SIGNATURE-----