Reproducible builds (same code -> always same binary)


#1

Have you considered adding reproducible builds to Swift? If you compile the same code under the same conditions, you always get the same binary.

This would be huge for open source source, because people could *prove* that an app binary came from the code it's supposed to be coming from.

This should be possible to do. To get the same conditions, a VM (or just the same cleanly installed Mac) could be used. If the compiler adds a timestamp, an option to remove the timestamp could be added. Etc.

Bitcoin Core does this using Gitian: https://gitian.org
Debian Linux is making progress: https://wiki.debian.org/ReproducibleBuilds


(Adrian Kashivskyy) #2

Hi,

Have you considered adding reproducible builds to Swift? If you compile the same code under the same conditions, you always get the same binary.

I don’t honestly know if „reproducible builds” are part of ABI stability, but if you are interested in that, you can find more information in Swift ABI Stability Dashboard.

This would be huge for open source source, because people could *prove* that an app binary came from the code it's supposed to be coming from.

Considering the nature of open-source projects and that most of them are compiled by users (either manually or by a package manager) on their own machines, the environment and configuration may vary so you won’t prove what you want to, based on your description.

If you want to distribute pre-built binaries and are afraid of malicious modifications of them, you should use code signing. It is designed to prove that binaries have not been tampered with and came from a trusted, original source.

···

——
adrian kashivskyy

On 12 Jun 2017, 11:38 +0200, Tuur Anton via swift-evolution <swift-evolution@swift.org>, wrote:

Have you considered adding reproducible builds to Swift? If you compile the same code under the same conditions, you always get the same binary.

This would be huge for open source source, because people could *prove* that an app binary came from the code it's supposed to be coming from.

This should be possible to do. To get the same conditions, a VM (or just the same cleanly installed Mac) could be used. If the compiler adds a timestamp, an option to remove the timestamp could be added. Etc.

Bitcoin Core does this using Gitian: https://gitian.org

Debian Linux is making progress: https://wiki.debian.org/ReproducibleBuilds
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution


#3

adrian kashivskyy wrote:
open-source projects and that most of them are compiled by users

Maybe that's true, but there are apps where most of users just download the binary. A great example is Signal for iOS. There's no way to verify the binary comes from the supposed source code. So "open source" is providing all these users with a false sense of security.

Imagine if this was possible: (1) Download an "open source" app on your iPhone from the App Store. (2) Connect your iPhone to your Mac and extract the app binary to your Mac. (3) Compile the app's source code from GitHub. (4) Compare the SHA-256 hashes of both binaries and verify they're the same.

Wouldn't this be cool? I think so, because any user could ask a tech-savvy friend to verify the binary. The app's reputation would go down the tubes if the SHA-256 hashes would stop matching.

···

From this perspective, I think bitcode, app thinning, etc. are taking us backwards. I hope those never become mandatory. Developers should have the option to make steps (1)-(4) possible.


(Karl) #4

App-thinning is not part of Swift (I don’t think we do anything special for bitcode, either - that happens at the LLVM level).

Anyway, those are just distribution technologies that Apple have chosen to implement for their AppStore. Whether or not they become requirements for submitting your App to the AppStore is up to Apple and their policy decisions. Again, nothing to do with the Swift language itself.

- Karl

···

On 12. Jun 2017, at 21:56, Tuur Anton via swift-evolution <swift-evolution@swift.org> wrote:

> adrian kashivskyy wrote:

> open-source projects and that most of them are compiled by users

Maybe that's true, but there are apps where most of users just download the binary. A great example is Signal for iOS. There's no way to verify the binary comes from the supposed source code. So "open source" is providing all these users with a false sense of security.

Imagine if this was possible: (1) Download an "open source" app on your iPhone from the App Store. (2) Connect your iPhone to your Mac and extract the app binary to your Mac. (3) Compile the app's source code from GitHub. (4) Compare the SHA-256 hashes of both binaries and verify they're the same.

Wouldn't this be cool? I think so, because any user could ask a tech-savvy friend to verify the binary. The app's reputation would go down the tubes if the SHA-256 hashes would stop matching.

From this perspective, I think bitcode, app thinning, etc. are taking us backwards. I hope those never become mandatory. Developers should have the option to make steps (1)-(4) possible.

_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution