1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
# repro-threshold
Threshold-based Reproducible Builds pluggable transport using your trusted rebuilders.
Run `repro-threshold` with no arguments to start a
[`ratatui`](https://github.com/ratatui/ratatui) based configuration interface.
**Status**: Very experimental
## Why this exists
- Open Source gives you the source code and often also provides prebuilt binaries
- You have to trust the build server (and their operators) that they've actually used this source code with no modifications
- There is an [ongoing effort](https://reproducible-builds.org/) to make the build deterministic and the build environment documented so other people can reproduce bit-by-bit identical binaries from source code
- With `repro-threshold` you can enforce a policy to only install packages reproduced by multiple groups you trust
## Who to trust?
Who you trust to do this verification is a very personal choice and there's no
obvious right or wrong. This is why `repro-threshold` let's you configure this
yourself, along with the number of required groups having confirmed the binary.
There's a [public list of groups](https://github.com/kpcyrd/rebuilderd-community),
this can automatically be loaded by pressing `ctrl+R` in the rebuilder selection
screen of the TUI.
The trust necessary to the individual rebuilder is limited, most importantly:
> Out of the rebuilders you select,
>
> and the threshold configured,
>
> you trust no group is going to collude
>
> big enough to exceed your threshold.
If necessary, you can also always run your own.
The security control by `repro-threshold` is additive, this means even if it
gets fully bypassed/broken somehow, you won't be worse off than without it.
## What is the 'blindly trust' set?
As of this writing, it's currently not practical/possible to build a Debian/Arch
Linux computer with reproducible-only packages, so there's a mechanism to
exclude packages from this check and permit installation even if there's no
evidence it was built from the given source code.
## What this doesn't fix
The Reproducible Builds stack gives you a trusted path from source code to binary.
It doesn't help if the source code itself is malicious/harmful. The source code
may still contain security vulnerabilities or [intentional
backdoors](https://en.wikipedia.org/wiki/XZ_Utils_backdoor). Choose wisely what
software you put into your computer.
## Privacy notes
The rebuilders you configure as trusted can see the packages and updates you are
interested in.
## Integration: alpm
⚠️ This hasn't been implemented yet
```
# /etc/pacman.conf
XferCommand=/usr/bin/repro-threshold transport alpm -O %o %u
```
## Integration: apt
Register repro-threshold as an available apt transport method:
```
ln -s /usr/bin/repro-threshold /usr/lib/apt/methods/reproduced+http
ln -s /usr/bin/repro-threshold /usr/lib/apt/methods/reproduced+https
```
Update your sources in /etc/apt/ to use this transport method:
```
#deb [arch=amd64] reproduced+http://deb.debian.org/debian unstable main
Types: deb
URIs: reproduced+http://deb.debian.org/debian
Suites: stable stable-updates
Components: main
Architectures: amd64
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
```
## License
`Apache-2.0 OR MIT-0`
|
