[Whonix-devel] Announcing Whonix's First Implementation of Verifiable Builds

adrelanos adrelanos at riseup.net
Wed Dec 11 15:55:41 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

you may or may not be interested, that Whonix [1] (a derivative of
Debian) first implementation of verifiable builds has been finished.
It should make it reasonable to believe, that the original Whonix.ova
images have been build from the source code that has been published
for that Whonix version with no malicious additions by the Whonix
builder or build machine. Next Whonix version will be build that way.

It's not as good as reproducible-builds [0], where you can simply
compare the hash of the resulting image, but without any
deterministically build operating systems, that's impossible for the
Whonix project to archive.

How it works (very brief)... Whonix does not add binary packages. All
binary packages are taken from Debian repositories. Whonix is only a
collection of config files and scripts. Images is extracted, MBR, VBR
gets dumped and compared, checksums of all files within the image are
created. All information is written into a report file. When having
two reports (one of official builds and a own build), those can be
compared. The full documentation of that feature and links to the
related scripts can be found in whonix.org wiki. [2]

I am happy to hear if I have overseen any holes, where backdoors could
still be hidden.

And I also have a question. During Whonix's build process, after
installing all packages inside the image, commands like

/var/lib/dpkg/info/docbook-xml.prerm remove
/var/lib/dpkg/info/docbook-xml.postrm purge

are run. And during first boot, commands like

/var/lib/dpkg/info/docbook-xml.preinst install
/var/lib/dpkg/info/docbook-xml.postinst configure

are run. Is there perhaps a better way of temporarily getting rid of
non-deterministic files than manually running these scripts, for
example letting dpkg call those scripts?

Cheers,
adrelanos

[0] https://wiki.debian.org/ReproducibleBuilds
[1] https://www.whonix.org
[2] https://www.whonix.org/wiki/Verifiable_Builds
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJSqHzrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5QjE1NzE1MzkyNUMzMDNBNDIyNTNBRkI5
QzEzMUFEMzcxM0FBRUVGAAoJEJwTGtNxOq7vbg0P/26xjYKJpfiWnXhY7rcyPDB8
zbOnap2aJ2aSDPIBXJfgnkp/2nVdIXufjHt4en5Ea3cbCUf/f5F2R4VyUpFYRQkd
HKGMHwzvIIlTYY6mXQa9+EHVmc2bvnYOpBjxkcJbrqj4rX3c9yR0kIEzhhukFRMK
M2e7SsKp0IyXTVe5jkavBqPXEF9PRRmNaEt19VFHh36OcdzKcPlz/qX1UEqez0sw
B3QeZkjKhfh53hutMsZeKrEhUDl9jA9P6kTovIVYHV4fBr6/0ViTtvZHjELHhbHr
DUAO2QikyOp0jpDv3bLR1Y2a0hygOH4XQyWdcd0vG5gu0LtZ1zaWRlbMGbNUPIQz
ptDxVFBNHA7MXrfHoo+cEsbLdjZr746COKBzvnDknv8iS1NU6ibCMJAIB9wMBGES
tQ/qyC90Sfq4Dc9war3KExF79VaPISDEZw5S8ZlNvTtaT5xPwhyqmiTz0A17h+pd
2DBVbq2ikgQPeX0meePvde3nuInKczpZHXsK1ixCbfpQ0BVnGBtZYF/8mLE/Cryu
uZTXFKy4SZ+gthEkLkWju5acduBB8YAx5qYVqhVJM04THYjblFTYOYOpkfzT/lUk
EZ4SJ0QHtDR2JO0Sw11Q0FXZfMxVGQj7KLO3wHW9Aae+tmQ/7pXBnlo9Oq0CQ85s
CGdSWIZkozxgrggXegiP
=SfnZ
-----END PGP SIGNATURE-----



More information about the Whonix-devel mailing list