EmeraldOnion/emerald-relays
3
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Introduce fully reproducible image builds #2

New issue
Open
opened 2025-12-06 11:10:58 +01:00 by alex · 1 comment
alex commented 2025-12-06 11:10:58 +01:00
Owner
Copy link

At the moment, the Docker-based setup here allows for partially reproducible image builds.

To address the potential threat in our threat model of a compromised build host, we should implement reproducible image builds.

This will likely require:

  • Rewriting alpine-make-rootfs and the postinstall setup.sh in Nix to be more deterministic
  • Handling Alpine package pinning rather than taking the latest version of every package (perhaps we could use the SBOM of an existing relay as the input for a reproducible build?)

I'm not sure if the final packed and signed EFI build will ever be byte-for-byte comparable to one built on another machine, but as long as the image can be unpacked and hashed down the whole initramfs file tree, and the kernel then I think we can call this one complete.

At the moment, the Docker-based setup here allows for _partially_ reproducible image builds. To address the potential threat in our threat model of a compromised build host, we should implement reproducible image builds. This will likely require: - Rewriting `alpine-make-rootfs` and the postinstall `setup.sh` in Nix to be more deterministic - Handling Alpine package pinning rather than taking the latest version of every package (perhaps we could use the SBOM of an existing relay as the input for a reproducible build?) I'm not sure if the final packed and signed EFI build will ever be byte-for-byte comparable to one built on another machine, but as long as the image can be unpacked and hashed down the whole initramfs file tree, and the kernel then I think we can call this one complete.
alex commented 2025-12-06 13:55:19 +01:00
Author
Owner
Copy link

See also: https://github.com/alpinelinux/alpine-make-rootfs/issues/24

See also: https://github.com/alpinelinux/alpine-make-rootfs/issues/24
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
EmeraldOnion/emerald-relays#2
No description provided.