Skip to content

Reproducible Builds Stage 2

There has been a lot of progress to achieve reproducible builds of the Tails ISO image (#5630 (closed)). But to effectively protect against infrastructure or developer compromise, it should also be possible to verify that the packages downloaded from our repositories are not modified. This affects two repositories:

1. The custom APT repository we host to provide our custom Debian packages.
2. The snapshots of the Debian repositories we host to fetch Debian packages during build.

(We host a third repository , but it effects only development builds, so it is not relevant for releases, which is what we care about in this effort.)

Those packages could be maliciously modified by Administrators / compromised infrastructure, and there is currently no process to verify that these packages are not modified.

We want to solve this issue in the “second stage” of our effort to provide reproducible builds.

One question shall be answered first though: assuming we solve the issues described above, what are the remaining ones? IOW, will this substantially raise the bar for an adversary?

Related issues

Original created by @segfault on 14455 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information