Portable and reproducible kernel builds with TuxMake
Portable and reproducible kernel builds with TuxMake
Posted Jan 6, 2021 9:42 UTC (Wed) by smurf (subscriber, #17840)In reply to: Portable and reproducible kernel builds with TuxMake by amacater
Parent article: Portable and reproducible kernel builds with TuxMake
Reproducible kernels are a very good idea, but they need to be based on reproducibly-built tools. Otherwise you have containers with SHA256s which you base your build on all you want, but what assurance do you have that the container was built with non-compromised tools in the first place? Does TuxMake address this?
Posted Jan 6, 2021 17:15 UTC (Wed)
by terceiro (subscriber, #83820)
[Link]
The TuxMake container images are built upon the Debian images provided by Docker Inc. They use only official Debian packages, with the exception of daily toolchain builds for which we get packages from the upstream project. They are built on Gitlab CI, with arm64 builds done by a Linaro server, and x86_64 done by Gitlab.com workers. Therefore at the moment the integrity of the TuxMake images relies on the integrity of Docker Hub, Debian, LLVM nightly builds, Gitlab.com, and a Linaro server.
Given the current state of reproducible builds in the free software community, would say the TuxMake containers are just good enough to get started. Of course, we can and should improve upon that (both TuxMake and the rest of the community). On the other hand, except for that Linaro server, a compromise in any of those means we all have bigger problems than the non-reproducibility of the TuxMake container images.
Portable and reproducible kernel builds with TuxMake