Dear Tails and Tor contributors, dear Reproducible Builds community, As you might know, Tails [1] has received the Mozilla Open Source Software award (MOSS) to make Tails ISO images build reproducibly. Since this project has started, less than a year ago, we've made huge progress and we've finally seen some ISO images build reproducibly on the build environments of our core developers as well as on our isobuilder machines. (See our previous reports [2]). However, there are still some remaining issues which we'd like to know more about in order to fix them. That's why we are asking for your help: Please try and build the Tails 3.1 ISO image and report your findings back to us. You will find all instructions for doing so hereafter. Please don't hesitate to contact us if you get stuck at some point in the process, for example by connecting to our chatroom [3]. You can also send us email to tails-dev@xxxxxxxx (public) or tails@xxxxxxxx (private). # How? For your convenience all instructions needed to attempt to reproduce Tails 3.1 are included hereafter. However all commands are adapted for Debian Stretch (and Buster/Sid), so your results may vary if you run another Linux distribution. Our full build instructions [4] might help if you are having problems. ## Setup the build environment Building Tails requires the KVM virtual machine hypervisor to be available, a minimum of 1 GiB of free RAM and a maximum of 20 GB of free storage. ### Install dependencies sudo apt-get install \ git \ rake \ libvirt-daemon-system \ dnsmasq-base \ ebtables \ qemu-system-x86 \ qemu-utils \ vagrant \ vagrant-libvirt \ vmdebootstrap && \ sudo systemctl restart libvirtd ### If building as a non-root user (Skip this section if you intend to build Tails as the root user!) Make sure that the user that is supposed to initiate the build is part of the relevant groups: for group in kvm libvirt libvirt-qemu; do sudo adduser $user $group; done Then run `newgrp` (or just reboot) to apply the new group memberships to the session. ## Build Tails 3.1 git clone https://git-tails.immerda.ch/tails cd tails git checkout 3.1 git submodule update --init rake build # Send us feedback! No matter how your build attempt turned out we are interested in you sending us feedback. For that we'll first need some information of the system you used -- please run these commands in the exact same terminal session that you ran `rake build` in (e.g. run them right after `rake build`)! sudo apt install apt-show-versions || : ( for f in /etc/issue /proc/cpuinfo do echo "--- File: ${f} ---" cat "${f}" echo done for c in free locale env 'uname -a' '/usr/sbin/libvirtd --version' \ 'qemu-system-x86_64 --version' 'vagrant --version' do echo "--- Command: ${c} ---" eval "${c}" echo done if which apt-show-versions >/dev/null then echo '--- APT package versions ---' apt-show-versions qemu:amd64 linux-image-amd64:amd64 vagrant \ libvirt0:amd64 fi ) | bzip2 > system-info.txt.bz2 Please have a look at the generated file with bzless system-info.txt.bz2 to make sure it doesn't contain any sensitive information you do not want to leak in case you send this file to us or make it public! Next, please follow the instructions below that match your situation! ## If the build failed. Please open a ticket on our bug tracker [5] with "Category" set to "Build system" and `system-info.txt.bz2` attached (note that this makes this file public). ## If the build succeeded ... Please compute the SHA-512 checksum of the resulting ISO image: sha512sum tails-amd64-3.1.iso and compare it to: 843427fa13446c4b7134a10d3269b693317bbb898759e9d4e5dd8a25583372bed767e575974f5ca0229f1b44a99d4c7b64872c3dc433c0caf8965961cac9fb30 ### Use the SHA256sum from our signed upgrade files instead This is optional, but if you want to use an authenticated checksum, you can find the sha256 checksum in our upgrade files: https://tails.boum.org/upgrade/v1/Tails/3.0.1/amd64/stable/upgrades.yml .. which are signed by the Tails signing key [7]: https://tails.boum.org/upgrade/v1/Tails/3.0.1/amd64/stable/upgrades.yml.pgp The SHA256 checksum should be: 0ef1c7d880308ee9f98c255b2658b75445cc84622eae2944a342dcc50cea71c7 ### ... and the checksums match (i.e. reproduction succeeded). Congrats for successfully reproducing Tails 3.1! Please send an email to tails-dev@xxxxxxxx (public) or tails@xxxxxxxx (private) with the subject "Reproduction of Tails 3.1 successful" and attach `system-info.txt.bz2` to it. ### ... and the checksums differ (i.e. reproduction failed). Now you are in a great position to help Tails improve its reproducibility! Please install `diffoscope` [8] version 83 or higher. If you run Debian Stretch, that is: echo 'deb http://ftp.debian.org/debian stretch-backports main' \ | sudo tee /etc/apt/sources.list.d/stretch-backports.list && \ sudo apt update && \ sudo apt -o APT::Install-Suggests="true" \ -o APT::Install-Recommends="true" \ install diffoscope Then download the official Tails 3.1 ISO image [6] and compare it to yours: diffoscope \ --text diffoscope.txt \ --html diffoscope.html \ --max-report-size 262144000 \ --max-diff-block-lines 10000 \ --max-diff-input-lines 10000000 \ path/to/official/tails-amd64-3.1.iso \ path/to/your/tails-amd64-3.1.iso && \ bzip2 diffoscope.* Please send an email to tails-dev@xxxxxxxx (public) or tails@xxxxxxxx (private) with the subject "Reproduction of Tails 3.1 failed" and attach `system-info.txt.bz2` to it. We also want you attach one (the smallest!) of diffoscope.txt.bz2 and diffoscope.html.bz2 to the email, but if they are "big" (say >100 KiB) then please don't bomb our mail inboxes! Instead upload the file to some web-based file-sharing service (we'd recommend RiseUp [9]) and include the link(s) in the email. Thank you very much for your interest and help! Cheers! The Tails project [1] http://tails.boum.org [2] https://tails.boum.org/news/report_2017_06/, https://tails.boum.org/news/report_2017_05/, https://mailman.boum.org/pipermail/tails-dev/2017-March/011297.html [3] https://tails.boum.org/support/#talk [4] https://tails.boum.org/contribute/build [5] https://labs.riseup.net/code/projects/tails/issues/new [6] http://dl.amnesia.boum.org/tails/stable/tails-amd64-3.1/tails-amd64-3.1.iso [7] https://tails.boum.org/news/signing_key_transition/ [8] https://diffoscope.org/ [9] https://share.riseup.net/
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk