Zero-trust builds for FreeBSD

[Posted January 22, 2025 by jzb]

The FreeBSD Foundation has announced that it has undertaken a project to deliver zero-trust builds commissioned by the Sovereign Tech Agency (STA).

The Zero-Trust Build project is scheduled from Jan-Aug 2025 and centers on the FreeBSD build process, and in particular, release building. The primary goal of this work is to enable the entire release process to run without requiring root access, and that build artifacts build reproducibly – that is, that a third party can build bit-for-bit identical artifacts.

Additionally, the project aims to enhance build process documentation, ensuring that release building is straightforward and does not require specialized knowledge. The work is targeted for completion prior to the release of FreeBSD 15.0.

The Foundation says that updates should not impact users of FreeBSD release images, but it may have an impact on developers basing projects or products on FreeBSD that make modifications to its release process.

Cross-compilation

Posted Jan 22, 2025 21:32 UTC (Wed) by ibukanov (subscriber, #3942) [Link] (1 responses)

It is not clear if FreeBSD will support reproducible builds that can be cross-compiled. Golang has such supports with the -trimpath option for the compiler which allows to build the same bit-for-bit executable for example for an x86-64 server while the developer uses an ARM Mac.

Cross-compilation

Posted Jan 23, 2025 21:23 UTC (Thu) by jrtc27 (subscriber, #107748) [Link]

FreeBSD has good cross-compilation support, in part due to its use of Clang rather than GCC (and thus not needing to build one compiler per target), but also due to build system hygiene in separating build and host (in autotools speak) tools like any good open-source project should. You can even cross-compile it from a Linux or macOS system (as of September 2020). If any of those produce different results (assuming reproducible builds are enabled, or modulo the usual path/time/etc embeddings if not that show up even when building natively) then that would be regarded as a bug today. The FreeBSD project found, diagnosed and fixed one such bug between i386 and amd64 hosts just last year (https://github.com/llvm/llvm-project/commit/c80c09f3e380a...), for example. So TL;DR, yes, cross-compiling is viewed as a first-class citizen for FreeBSD's base system and this should be in scope, if it's not already as true today as for native builds.

Reproducible builds improve privacy of the builder

Posted Jan 23, 2025 4:59 UTC (Thu) by brunowolff (guest, #71160) [Link]

This triggered me thinking about reproducible builds and I realized that they improve the privacy of the builder. While people will be able to figure out more or less software was used to build the binary (which can reveal a lot), if you can confirm identical builds on independent machines, you can be pretty sure the build software isn't stamping the binary with geolocation information or CPU serial numbers.

Bootstrappable?

Posted Jan 23, 2025 7:05 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

I wonder if this will also include work on Bootstrappable Builds.

https://lwn.net/Articles/983340/
https://bootstrappable.org/

Bootstrappable?

Posted Jan 26, 2025 1:22 UTC (Sun) by Lennie (subscriber, #49641) [Link]

Based on the description they gave in the announcement, I think not.

But you probably have to get these steps done first before you can think about the others. Maybe not for a strictly technical reason, but from a sense of logical ordering.

Reproducible builds for FreeBSD

Posted Jan 23, 2025 13:54 UTC (Thu) by amacater (subscriber, #790) [Link]

The web site for reproducible builds hosted at https://reproducible-builds.org/ lists FreeBSD as one project working on being fully reproducible. I'm assuming that this funded work is part of that ongoing effort. Thanks to everyone working everywhere on reproducible builds - that's one component offering assurance and verification in software provenance.