openSUSE project developers announced about providing support for repeatable builds in the repository openSUSE Factorywhich applies a model of a continuous cycle of updating program versions (rolling updates) and serves as the basis for building a distribution kit openSUSE Tumbleweed. The openSUSE Factory build configuration now allows you to ensure that the binaries distributed in packages are built from the provided source code and do not contain hidden changes. For example, any user can personally verify that the proposed assemblies bit by bit match the assemblies collected personally from the source codes.
When forming repeatable assemblies, such nuances are taken into account as exact matching of dependencies, use of unchanged composition and versions of the assembly tools, an identical set of options and default settings, preservation of the file assembly order (use of the same sorting methods), disabling the addition of non-permanent service information by the compiler, such as random values, file path references, and build date and time information.
Advertisement
The ability to verify the identity of a binary assembly allows you not to rely only on trust in the assembly infrastructure, where compromising the compiler or assembly tools can lead to the substitution of hidden bookmarks. For example, repeatable builds were used by openSUSE developers to eliminate malicious modifications that could have been introduced into the repository as a result of the backdoor incident in the xz package (the compromised liblzma library used to unpack the archive with GCC code could potentially introduce changes to the GCC code that could be used to insert malicious elements into assembled applications).
The Factory repository is not intended for end users and is primarily used by distribution developers as it is not guaranteed to be stable at all times. System packages added to Factory undergo automated testing using tools openQA. Once testing is complete and the dependency state is verified to be consistent, the contents of the repository are flushed to mirrors several times a week and the resulting state slice is published as openSUSE Tumbleweed.
Thanks for reading: