[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Help us build Tails reproducibly

Dear Tails and Tor contributors,
dear Reproducible Builds community,

As you might know, Tails [1] has received the Mozilla Open Source
Software award (MOSS) to make Tails ISO images build reproducibly.
Since this project has started, less than a year ago, we've made huge
progress and we've finally seen some ISO images build reproducibly on
the build environments of our core developers as well as on our
isobuilder machines. (See our previous reports [2]).

However, there are still some remaining issues which we'd like to know
more about in order to fix them. That's why we are asking for your
help: Please try and build the Tails 3.1 ISO image and report your
findings back to us. You will find all instructions for doing so
hereafter. Please don't hesitate to contact us if you get stuck at some
point in the process, for example by connecting to our chatroom [3].
You can also send us email to tails-dev@xxxxxxxx (public) or
tails@xxxxxxxx (private).

# How?

For your convenience all instructions needed to attempt to reproduce
Tails 3.1 are included hereafter. However all commands are
adapted for Debian Stretch (and Buster/Sid), so your results may vary if
you run another Linux distribution. Our full build instructions [4]
might help if you are having problems.

## Setup the build environment

Building Tails requires the KVM virtual machine hypervisor to be
available, a minimum of 1 GiB of free RAM and a maximum of 20 GB of
free storage.

### Install dependencies

    sudo apt-get install \
        git \
        rake \
        libvirt-daemon-system \
        dnsmasq-base \
        ebtables \
        qemu-system-x86 \
        qemu-utils \
        vagrant \
        vagrant-libvirt \
        vmdebootstrap && \
    sudo systemctl restart libvirtd

### If building as a non-root user

(Skip this section if you intend to build Tails as the root user!)

Make sure that the user that is supposed to initiate the build is part
of the relevant groups:

    for group in kvm libvirt libvirt-qemu; do sudo adduser $user $group;

Then run `newgrp` (or just reboot) to apply the new group memberships
to the session.

## Build Tails 3.1

    git clone https://git-tails.immerda.ch/tails
    cd tails
    git checkout 3.1
    git submodule update --init
    rake build

# Send us feedback!

No matter how your build attempt turned out we are interested in you
sending us feedback. For that we'll first need some information of the
system you used -- please run these commands in the exact same
terminal session that you ran `rake build` in (e.g. run them right
after `rake build`)!

    sudo apt install apt-show-versions || :
      for f in /etc/issue /proc/cpuinfo
        echo "--- File: ${f} ---"
        cat "${f}"
      for c in free locale env 'uname -a' '/usr/sbin/libvirtd --version' \
                'qemu-system-x86_64 --version' 'vagrant --version'
        echo "--- Command: ${c} ---"
        eval "${c}"
      if which apt-show-versions >/dev/null
        echo '--- APT package versions ---'
        apt-show-versions qemu:amd64 linux-image-amd64:amd64 vagrant \
    ) | bzip2 > system-info.txt.bz2

Please have a look at the generated file with

    bzless system-info.txt.bz2

to make sure it doesn't contain any sensitive information you do not
want to leak in case you send this file to us or make it public!

Next, please follow the instructions below that match your situation!

## If the build failed.

Please open a ticket on our bug tracker [5] with "Category" set to
"Build system" and `system-info.txt.bz2` attached (note that this makes
this file public).

## If the build succeeded ...

Please compute the SHA-512 checksum of the resulting ISO image:

    sha512sum tails-amd64-3.1.iso

and compare it to:


### Use the SHA256sum from our signed upgrade files instead

This is optional, but if you want to use an authenticated checksum,
you can find the sha256 checksum in our upgrade files:
.. which are signed by the Tails signing key [7]:

The SHA256 checksum should be:

### ... and the checksums match (i.e. reproduction succeeded).

Congrats for successfully reproducing Tails 3.1! Please send an email
to tails-dev@xxxxxxxx (public) or tails@xxxxxxxx (private) with the
subject "Reproduction of Tails 3.1 successful" and attach
`system-info.txt.bz2` to it.

### ... and the checksums differ (i.e. reproduction failed).

Now you are in a great position to help Tails improve its
reproducibility! Please install
`diffoscope` [8] version 83 or higher. If you
run Debian Stretch, that is:

    echo 'deb http://ftp.debian.org/debian stretch-backports main' \
      | sudo tee /etc/apt/sources.list.d/stretch-backports.list && \
    sudo apt update && \
    sudo apt -o APT::Install-Suggests="true" \
             -o APT::Install-Recommends="true" \
             install diffoscope

Then download the official Tails 3.1 ISO image [6] and compare it to yours:

    diffoscope \
        --text diffoscope.txt \
        --html diffoscope.html \
        --max-report-size 262144000 \
        --max-diff-block-lines 10000 \
        --max-diff-input-lines 10000000 \
            path/to/official/tails-amd64-3.1.iso \
            path/to/your/tails-amd64-3.1.iso && \
    bzip2 diffoscope.*

Please send an email to tails-dev@xxxxxxxx (public) or tails@xxxxxxxx
(private) with the subject "Reproduction of Tails 3.1 failed" and
attach `system-info.txt.bz2` to it. We also want you attach one (the
smallest!) of diffoscope.txt.bz2 and diffoscope.html.bz2 to the email,
but if they are "big" (say >100 KiB) then please don't bomb our mail
inboxes! Instead upload the file to some web-based file-sharing
service (we'd recommend RiseUp [9]) and include the link(s) in the email.

Thank you very much for your interest and help!

The Tails project

[1] http://tails.boum.org
[2] https://tails.boum.org/news/report_2017_06/,
[3] https://tails.boum.org/support/#talk
[4] https://tails.boum.org/contribute/build
[5] https://labs.riseup.net/code/projects/tails/issues/new
[7] https://tails.boum.org/news/signing_key_transition/
[8] https://diffoscope.org/
[9] https://share.riseup.net/

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to