[RFC] Trusted build process

[Gavin Andresen]

It is time to build and test a new version of bitcoin.

In the past, Satoshi built the Windows and Linux releases, Laszlo built the Mac releases, and we trusted them not to put malware in them (or we compiled ourself from source).

Satoshi is busy, and even if he wasn't he shouldn't be spending his time doing a job that a lot of the rest of us are capable of doing.  So we need a new process.

Ideally, that process should be open and verifiably trustworthy.  So I'd like to propose that we do the following:

1. For each platform, somebody creates a pristine, reproducible build environment, preferably as a virtual machine image that anybody can download, inspect, clone, run, etc.

Anybody should be able to reproduce the build environment by running or following a script (e.g. "Install Ubuntu X.Y.Z.  apt-get the following versions of the following packages... etc").

2. A copy of that virtual machine is used to build/package the release.

3. Anybody can audit the process by re-creating the build environment and ensuring that they end up with "identical" executables.  (where "identical" means compare the code in the executables, ignoring timestamps or other meta-info linkers put into executables -- are there already tools to do that, or do we need to roll our own?).

Feedback?  Suggestions for improvement, or are there better ways of creating 'trusted builds' ?

[1715005122]

1715005122

[1715005122]

1715005122

[1715005122]

1715005122

[MoneyTree]

Hello Gavin,

totally agree. There should be a validated process to release new builds without being dependent on a single (or small group of) persons. This is also good for the continuity of the bitcoin project as a whole.

For me personally: The sooner the nolisten=1 config option is compiled into the windows binary the better! 

[LZ]

Good idea. Besides, I prefer that this image can be mounted, so I can just chroot to it.

[devrandom]

I started an initiative ( https://gitian.org/  ) for exactly this purpose.  My motivational article is here: http://hyper.to/blog/link/attack-scenarios-software-distribution/

What is needed is a deterministic build process.  I would love to collaborate on tools to achieve this.

[Nefario]

This is only a little related to the above thread. Can we make building bitcoin a little easier? After finding the binary doesn't work on my server (amd64 ubuntu 8.10) I went to build and found out about all the libraries it needs (that are not available as apt-get for this distribution).

Probably not too important.

[ribuck]

...that process should be open and verifiably trustworthy ... a pristine, reproducible build environment, preferably as a virtual machine image ...

I think a virtual machine image is a bad idea, because a malicious person could include a modified tool within this virtual image. The C++ compiler, for example, could be modified for malicious purposes, and this might not be detected.

Surely it's safer to specify the build environment (i.e. version numbers and configuration of each tool) and leave others to assemble the build environment from those specifications.

Ken Thompson's very readable 1984 presentation describes this form of attack:

"Reflections on Trusting Trust"
http://cm.bell-labs.com/who/ken/trust.html

[Gavin Andresen]

ribuck:  what do you suggest instead?

I've read Ken Thompson's paper; that is what motivated me to propose a reproducible virtual machine image as the best we can do IN PRACTICE.

Yes, it is theoretically possible somebody might sneak bitcoin-stealing code into the gcc compiler.  Code that detects that bitcoin is being compiled and injects instructions to send coins to the sneaky gcc hacker.

In reality, we trust that the gcc maintainers are trustworthy and careful and that they care about their reputations.   If you don't trust them, what is the alternative?

Nefario: can "we" make building bitcoin easier?  I've been asking people to submit patches to the bitcoin linux build process, but so far none have been forthcoming...

devrandom:  Nice!

[ribuck]

Gavin, I think you misunderstood what I'm trying to say.

I'm not worried about the developers of gcc. I'm happy to trust them. I'm worried about the person who prepares the virtual image, and who could include their own patched malicious version of gcc.

What I suggest instead is simply to specify the build environment (tools, version numbers and configuration options) and allow others to set up that environment with software from standard repositories.

A virtual image of the build environment is not a big risk, but it seems to me it makes things slightly worse rather than slightly better.

[Gavin Andresen]

ribuck:  I did misunderstand, sorry.

And maybe I should have been clearer:  the idea behind a reproducible virtual image is exactly to capture tools, version numbers, etc etc.   Auditors that create their own virtual images with the same CPU, OS, tools, etc. will be relied upon to confirm that yes, the bitcoin executables on the website were indeed built using standard compilers/linkers/etc from a particular source revision.

[gigitrix]

This all sounds good, but for the ultraparanoid, get 2/3/n people to build on a given platform with an agreement on compiler and just compare the checksums, perhaps? Or am I missing a potential attack here?

[jgarzik]

With modern packaging, checksumming is quite easy -- provided that prelink is disabled (prelink rewrites binaries).  So gavin's proposal seems reasonable, and reproducible.

[devrandom]

The build environment can be specified as a VM build script.  Such as script will be relatively simple and easy to audit.

On Ubuntu/Debian, this could be done with a vmbuilder setup.  This would include vmbuilder config files and execscripts.  It would still be good to capture the set of packages installed, maybe with aptproxy or possibly just the version list and sha sums, so that the build is fully reproducible.

This of course assumes that the distributions are reliable, as we would depend on the distribution signature to certify that the distribution wasn't tampered with and is free of trojans.  In the future, it would be good to build an entire distribution from scratch and then use that as a trusted base.

[ribuck]

The build environment can be specified as a VM build script.

That sounds like a good solution.

In the future, it would be good to build an entire distribution from scratch and then use that as a trusted base.

As the bitcoin economy grows, there may come a time when that makes sense, but I think it's a while in the future still.

[devrandom]

Just to list potential sources of non-determinism that I know of when building on linux:

• zip/gzip (timestamps)
• tar (timestamps)
• dependencies (libraries, headers)
• compilers
• things I am forgetting right now

For other platforms there might be additional sources.  For things like zip/gzip/tar, it would be best to have a fixup tool that sets the timestamps to an agreed value.  For dependencies and compilers, we need a reference build platoform, such as a VM build script.

In the future, it would be good to build an entire distribution from scratch and then use that as a trusted base.

As the bitcoin economy grows, there may come a time when that makes sense, but I think it's a while in the future still.

My initiative (mentioned above) is for software distribution as a whole.  For that, it would be good to based all software distribution on multiple code signers.  For bitcoin itself, I agree that it's not yet appropriate, since there are easier attack vectors at this point.

[jgarzik]

Just to list potential sources of non-determinism that I know of when building on linux:

• zip/gzip (timestamps)
• tar (timestamps)
• dependencies (libraries, headers)
• compilers
• things I am forgetting right now

We should not be building anything except bitcoin itself.  Choose a distro with checksum'd packages, and you wipe out almost everything on your list.

[ptd]

Just to list potential sources of non-determinism that I know of when building on linux:

• zip/gzip (timestamps)
• tar (timestamps)
• dependencies (libraries, headers)
• compilers
• things I am forgetting right now

We should not be building anything except bitcoin itself.  Choose a distro with checksum'd packages, and you wipe out almost everything on your list.

Distro's use cryptographically signed packages rather than checksummed ones.

[bitcoinex]

The Linux distributions have a maintainers who are preparing to build sources. If you 'aptitude source package-name' a source package and compile it after checking src signature by yourself it's safe enough.

There is, however, the probability of a "third level" trojan , which can not be detected if has not been investigated source of bitcoin and source of compiler, but it is too high level matter and is can not resolved at this level of abstraction.

Also, I urge DO NOT use digital signatures in the packages because it do not give the opportunity to build two identical package, because signature are uses random numbers when creating. Instead, repository must be signed.

We should achieve a sustainable build of packages for most Linux distributions ubiquitous and discontinue to include binaries into tar archives since it is insecure.

What do users of windows and mac I do not know. I am feel sorry for them. Most likely Gavin's proposal it is for them. (about what it needed to establish some virtual environment and that everyone can verify that it works correctly)

Another idea: this is a kind of philosophical problem can be published on the various IT sites, cause a discussion that may help and also thus attract new bitcoin users.

[devrandom]

The Linux distributions have a maintainers who are preparing to build sources. If you 'aptitude source package-name' a source package and compile it after checking src signature by yourself it's safe enough.

There is, however, the probability of a "third level" trojan , which can not be detected if has not been investigated source of bitcoin and source of compiler, but it is too high level matter and is can not resolved at this level of abstraction.

The threat model that I think we could target here is a compromise of the build process, either by the builder or by a third party attacking their build environment.  An assertion from multiple builders that [source checksum, build script, build environment checksum] produces [executable checksum] gives high assurance that no such compromise occurred.

I'm going to spend some time on this for the linux environment in the next few days.

[jgarzik]

Distro's use cryptographically signed packages rather than checksummed ones.

Don't be so literal   "Checksum" is convenient shorthand.  You see this with the "sum" prefix in binaries named "md5sum", "sha1sum", etc.

[devrandom]

I have an initial implementation of the VM based build process.

The code is here: https://github.com/devrandom/gitian-builder

You will also need a build descriptor file, which is here: https://gist.github.com/803438 .  The file wxWidgets-2.9.1.tar.bz2 goes in the ./inputs directory.

This builds a 64 bit executable with an sha256sum of 53c586ca76d6548a722c11ab3e51936d2bc185d60cd7234314896aa0c1ae5d1e.  Let me know if you get anything different.  My host is Ubuntu Maverick, but this should not matter to the result.  The environment report is captured in the result directory.

Still to do:

* Generate a tar.gz file instead of just an executable.  This will require fixing the timestamps and compiling for 32 and 64 bits.
* Pin the deb package versions so that future upgrades to the target OS don't cause changes to the result.