X-Original-To: alpine-devel@lists.alpinelinux.org Received: from ms11p00im-hyfv17281201.me.com (ms11p00im-hyfv17281201.me.com [17.58.38.39]) by lists.alpinelinux.org (Postfix) with ESMTP id E2370F84E7B for ; Sun, 30 Dec 2018 22:48:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=me.com; s=04042017; t=1546210092; bh=3RPASx3yxljN+DTcdlH5MHJlnon5RuVtyv35xagp8Yc=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=7Xcwa2iAMesFdlyOqvrTmPyYByBoOhnS4XGCQfx1sjdhUIAu0yHfmuS0rRa8BgTXk 6qqj16KjnwCxEAwpaspvcoIHe6/5vL4uhfDP1njpSnd/p8XVsrRFTFvY3UOgcxxABT B0PUkpU3/2BzbrDtGzUjx7xOcVy2vrrhiwjsP8kcsz5KF0hQie11FkHWWxsgcJaMTo SicM8FrcKJO9tX1rE/Pw0nUYqW7Q56hI6kvBG2kc4a/2t595HIsbNF8vAwz+RoGgdN p2TdfqZbXyah5cAimhNOHXgewhpOoXpy081mlPRcb5bLkSTYmXWX/PbNgnzaIoxN4v ybyMJdzFX5ogA== Received: from sachiel (c-76-29-2-249.hsd1.in.comcast.net [76.29.2.249]) by ms11p00im-hyfv17281201.me.com (Postfix) with ESMTPSA id 09643C000C7 for ; Sun, 30 Dec 2018 22:48:11 +0000 (UTC) Date: Sun, 30 Dec 2018 17:52:59 -0500 From: Max Rees To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Report from Reproducible builds summit 2018 Message-ID: <20181230225258.GB9101@sachiel> Mail-Followup-To: alpine-devel@lists.alpinelinux.org X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1a664e98-3f41-5503-60af-98865c0b785f@toastin.space> User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-12-30_10:,, signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=668 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1812300210 On Dec 17 11:07 PM, Chloe Kudryavtsev wrote: > On 12/17/18 7:33 AM, Natanael Copa wrote: > > * we may need to store the exact versions and/or hashes of the > > dependencies used when a package was built. I am not sure where we > > want store this. Maybe in the APKINDEX? > > I think this is a good idea. Mostly a note in regards to the next comment. > > > * we embed the signature in the .apk, which means its not possible to > > re-create the exact same .apk without having access to the private > > key. I'm not sure how to deal with that. > > I do not believe we need to allow for that. > Since we want to store exact versions/hashes of dependencies in the .apk, I > believe we can also store a hash of the resulting tree, pre-signature > (meaning we sign the hash as well). > This hash should be visible using apk(1), to allow people to > programmatically verify that two .apks are the same internally, and > guarantees the integrity of the has in mirrors. [apologies to Chloe - I forgot to list-reply on the first draft of this message] The "datahash" field of the .PKGINFO file should be able to serve this purpose - it's the SHA256 checksum of the data.tar.gz file (i.e. the actual tree contents), and since it's located in control.tar.gz it's signed as part of the existing .apk file creation process. I agree that apk(1) or perhaps a standalone utility should make it easier to get the datahash of an .apk file. As long as data.tar.gz is created reproducibly, then the datahash should end up being the same. Max --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---