danimesq
commented
4 years ago All releases, being built, producing the same hash
Open danimesq opened 4 years ago
danimesq
commented
4 years ago All releases, being built, producing the same hash
turt2live
commented
4 years ago and the motivation for requesting the feature is? I understand that it's useful from a security perspective, but this feels a lot like someone coming by saying "it's ugly" and not providing much more in terms of feedback.
Logicwax
commented
4 years ago I'm assuming this is in regards to the electron app for which reproducible builds would be useful from a security perspective. Multiple highly regarded security engineers / staff could all sign-off on the build hash which could provide an assurance of trust that no single person/machine was compromised without having to rebuild yourself from source. (also useful for the mobile clients especially)
uhoreg
commented
4 years ago I'm surprised we didn't already have an issue for this. More information about reproducible builds is available at https://reproducible-builds.org/. Basically it's a way to ensure that the binary that is distributed matches the source that was (claimed to be) used to produce it.
This means that, for example, if multiple people say that "I compiled riot x.y.z and the hash I got was abcdefg", and you download the package from packages.riot.im and find that the hash matches what everyone else says it should be, then you know that 1) New Vector didn't add in any secret sauce to the builds to add a back door, and 2) an attacker didn't replace the packages (which still protects users even if the attacker manages to compromise the signing keys).
It would also be a way of ensuring that our builds are not compromised: we could build the app on multiple machines and compare hashes. If the hashes all match, then either all our build machines are clean, or all of them have been compromised in the same way.
@DaniellMesquita can you give us more information please?