3

Are Ubuntu builds deterministic? I assumed they are, that is, if I recreate the process of building Ubuntu installation media, I will get the same image, (bit-for-bit, with the same checksums) as the one on the Ubuntu mirrors.

Recent post by Joanna Rutkowska (lead developer of Qubes OS distro) suggests that it isn't so:

currently most projects, including all Linux distributions, do not build deterministically

Why not?

Community
  • 1
Nickolai Leschov
  • 8,250
  • 19
  • 50
  • 90
  • Asking "why not?" is subjective, and each question should only be one question, so i've removed that extra bit from your question. – dobey May 01 '15 at 16:20
  • 1
    possible duplicate of Will Ubuntu work with reproducible builds? – dobey May 01 '15 at 16:21
  • 1
    @dobey I actually thought there might be the exact objective reason(s) "why not?", that's why I included this and as a single question, too. – Nickolai Leschov May 01 '15 at 17:05
  • @dobey I see no reason why "Why not?" would be any less objectively answerable, in this case, than the rest of the question. This question is asking if they are deterministic, and, if not, then what makes them not deterministic. I have rolled back your edit. – Eliah Kagan May 02 '15 at 21:32
  • @EliahKagan The words "why not?" tend to invite subjective criticism, rather than objective statements. – dobey May 02 '15 at 22:58
  • @dobey I disagree. In this case, "why not?" is asking what is happening, at a technical level, that causes different builds to sometimes consist of nonidentical binaries. This question, including that part of it, is asking for something objectively answerable. Is your concern that the words "why not?" might be misinterpreted by someone who hasn't actually read the question? If that's what you're worried about, I suppose you could edit this again, but I recommend rephrasing that part rather than radically changing the question by removing it against the OP's clearly expressed intent. – Eliah Kagan May 02 '15 at 23:56
  • @EliahKagan That is your interpretation of it. It may not be someone else's interpretation. If you want to ask that, then use more explicit phrasing. Removing it doesn't change the question. The question is about whether ubuntu had reproducible builds (and it's thus a duplicate anyway). An answer for that question itself, would also provide the answer as to why they are or are not built in that manner. So it is a secondary, unnecessary, and misleading thing to add to the question. :) – dobey May 02 '15 at 23:59
  • @dobey It's not just my interpretation, it's what the OP has explicitly told us about the question, in response to your edit. Asking whether or not X is the case is not at all the same as asking what causes X to be the case. – Eliah Kagan May 03 '15 at 00:01

2 Answers2

2

No they're not. Let's clarify a distinction here,

  • Does the system support "reproducible builds"?

    Yes all systems support packages that are deterministic.

  • Does the system enforce "reproducible builds"?

    Nope, though it does help diagnose problems, and works is being done to make packages reproducible -- bugs are being reported and handled anyway.

  • Is everything, without exception, reproducible?

    Not even close.

Now let's define "reproducible builds"

A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.

Now let's talk about what is required

Check out this page under "How" which lays down three criteria

  1. the build system needs to be made entirely deterministic: transforming a given source must always create the same result. Typically, the current date and time must not be recorded and output always has to be written in the same order.

  2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined.

  3. users should be given a way to recreate a close enough build 3., perform the build process, and verify that the output matches the original build.

You can find more documentation about all of that here.

As to why Ubuntu isn't currently reproducible, things like Perl currently fail because -V stores the compiler args for convenience -- they're waiting on GCC to patch this upstream. A lot of this functionality could simply nuked. Some other problems: some man pages and programs have the build dates compiled in, others compile in mutable paths to shared libraries and the like.

Not being reproducible isn't a problem or a vulnerability. It just makes it harder to verify that you haven't been tampered with, and currently that functionality is being viewed as more valuable.

You can follow Debian's progress towards determinism here

Evan Carroll
  • 7,526
-1

For starters, I don't think Rutkowska was talking about building installation media deterministically, but about packages (deb, rpm).

Debian is working on building packages reproducibly (https://wiki.debian.org/ReproducibleBuilds) but there are still lots of packages that don't build that way...

Building a whole distribution deterministically surely is even more of a challenge.

Jan
  • 12,291
  • 3
  • 32
  • 38
  • This is why I voted it a duplicate of the question about reproducible builds which has already been answered. – dobey May 02 '15 at 22:59