[mosh-devel] Mosh OS X package build on Travis

john hood cgull at glup.org
Sun Nov 6 08:07:30 EST 2016 

On 11/2/16 8:43 PM, Jim Cheetham wrote:
> Quoting john hood (2016-11-02 18:45:17)
>> This isn't going to happen instantly.  One approach to the trust issue
>> here might be to just cop out-- stop doing OS X package builds and tell
>> people to build their own, until we get this stuff into better shape.
> 
> That probably doesn't really help - just because you can't have a 'perfect' build environment doesn't mean that the world is a better place if you have none :-)
> 
> Transparency is the first part: whatever your build method is, make sure it is described so that potential users can make up their own minds about the risks.
> 
> Then add as much accountability as possible, in terms of build logs and any artefacts like that, in case someone else can spot a problem that you didn't see on a particular given run. That is also helpful in terms of build quality itself, not just the security issues.
> 
> As long as there is a viable path for an end-user to take from the source to a binary without trusting anything else from you, that's great. Some products (e.g. TrueCrypt) were exceptionally difficult to build, which was a problem.
> 
> A repeatable build environment with a transparent trusted process? Probably not going to happen in the OS X world very easily, so just take steps to get closer :-)

It took a while but I've gotten someplace useful with this.  I improved
the Travis package build to better report its components and
environment, and the result can be seen at
<https://github.com/mobile-shell/mosh/pull/822> along with links to a
sample build.

It appears that deterministic builds are Not Possible with the Xcode
toolchain-- apparently the linker is threaded and puts things together
in an unpredictable order.  The bitcoin folks have managed to get
deterministic builds, but that requires cross-compiles on Linux VMs with
various tools assembled from various places, and some of the tools are
apparently fairly broken.  So I've put that aside for now.

I would certainly appreciate comments on how that build looks-- it
certainly reports things, and produces hashes on build products to add
some traceability, but I'm sure it can be improved.

regards,

  --jh

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/mosh-devel/attachments/20161106/c94d0167/attachment.bin

More information about the mosh-devel mailing list