Archives/gitian-builder
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Build packages in a secure deterministic fashion inside a VM
45 Commits 6 Branches 2 Tags 998 KiB
Python 43.5%
Shell 29.7%
Ruby 26.8%
28bb421156
Go to file
devrandom 28bb421156 First pass lxc support
2012-04-22 10:26:39 -07:00
bin First pass lxc support 2012-04-22 10:26:39 -07:00
doc check if kvm is available and warn if not 2011-05-30 13:55:38 -07:00
etc First pass lxc support 2012-04-22 10:26:39 -07:00
libexec First pass lxc support 2012-04-22 10:26:39 -07:00
share Add "optionals" array to descriptor/assertion YAML files - allow them to be missing on verify 2012-02-21 09:43:13 -08:00
target-bin First pass lxc support 2012-04-22 10:26:39 -07:00
.gitignore implement bin/gsign 2011-03-26 17:32:21 -07:00
README.md First pass lxc support 2012-04-22 10:26:39 -07:00

README.md

Gitian

Read about the project goals at the "project home page":https://gitian.org/ .

This package can do a deterministic build of a package inside a VM.

Deterministic build inside a VM

This performs a build inside a VM, with deterministic inputs and outputs. If the build script takes care of all sources of non-determinism (mostly caused by timestamps), the result will always be the same. This allows multiple independent verifiers to sign a binary with the assurance that it really came from the source they reviewed.

Synopsis:

Install prereqs:

sudo apt-get install apt-cacher
sudo service apt-cacher start

If you want to use kvm: sudo apt-get install python-vm-builder qemu-kvm

or alternatively, lxc (no need for hardware support): sudo apt-get install debootstrap lxc

Create the base VM for use in further builds (requires sudo, please review the script):

bin/make-base-vm
bin/make-base-vm --arch i386

or for lxc:

bin/make-base-vm --lxc
bin/make-base-vm --lxc --arch i386

Copy any additional build inputs into a directory named inputs.

Then execute the build using a YAML description file (can be run as non-root):

export USE_LXC=1 # LXC only
bin/gbuild <package>.yml

or if you need to specify a commit for one of the git remotes:

bin/gbuild --commit <dir>=<hash> <package>.yml

The resulting report will appear in result/<package>-res.yml

To sign the result, perform:

bin/gsign --signer <signer> --release <release-name> <package>.yml

Where is your signing PGP key ID and is the name for the current release. This will put the result and signature in the sigs//. The sigs/ directory can be managed through git to coordinate multiple signers.

After you've merged everybody's signatures, verify them:

bin/gverify --release <release-name> <package>.yml

Poking around

  • Log files are captured to the var directory
  • You can run the utilities in libexec by running PATH="libexec:$PATH"
  • To start the target VM run start-target 32 lucid-i386 or start-target 64 lucid-amd64
  • To ssh into the target run on-target or on-target -u root
  • On the target, the build directory contains the code as it is compiled and install contains intermediate libraries
  • By convention, the script in <package>.yml starts with any environment setup you would need to manually compile things on the target

TODO:

  • disable sudo in target, just in case of a hypervisor exploit
  • tar and other archive timestamp setter