Under Gitian’s protective wings
While build reproducibility as a whole is progressing well (see the graph, right), it’ll be some time before general users can join in the effort for everyday packages. However, reproducibility has been identified as a priority for certain packages, including the Bitcoin Core client and Tor. These projects, being concerned with people’s (magic internet) money and privacy, have good reason to embrace any means of furthering their security. To that end both have adopted Gitian for building and distributing their binaries.
Gitian was developed by the Bitcoin community who, being a small group, realised that the handful of machines (developers’ personal laptops usually) they were using to build the official client, represented single points of failure. Development started in the early Bitcoin days, back in 2011. Given the volumes of actual money currently being traded on Bitcoin exchanges today, one can understand the desire to use any tooling available to protect them.
In the case of the Tor Browser Bundle, Gitian is used in conjunction with the MinGW-w64 environment to provide reproducibility for Windows builds. And cross-compilation tools make this possible on Mac as well. Gitian is native to Ubuntu and uses the Python-based VMBuilder to create a base Ubuntu VM with Qemu. Multiple builders can then reproduce this environment easily and, using stand, compare their resulting binaries. Since the Tor Browser Bundle includes Firefox (several million lines of code), the effort to make this reproducible (which started in 2012) uncovered all kinds of hitherto unseen challenges. These included random file orderings coming from the multi-threaded build process, and uninitialised memory introducing random bits in resulting binaries.
Ogres are like onions, but not onion routers. Both are serious about security though.