robur-coop / qubes-miragevpn

BSD 2-Clause "Simplified" License
7 stars 1 forks source link

No release on GitHub #13

Open ideologysec opened 3 months ago

ideologysec commented 3 months ago

The handbook states that a release can be downloaded from the reproducible build server, or from the official GitHub, which this is.

https://robur-coop.github.io/miragevpn-handbook/qubes_miragevpn.html

There do not appear to be binary releases pushed on GitHub - is this intentional and a typo in the handbook?

Additionally, the sha256 on github (https://github.com/robur-coop/qubes-miragevpn/blob/main/qubes-miragevpn.sha256) does not match the most recent downloaded version from the build server. Where is the appropriate sha256 published for checking?

reynir commented 3 months ago

There seems to be artifacts published on each action, e.g. this latest one: https://github.com/robur-coop/qubes-miragevpn/actions/runs/10033371815
We should maybe publish them as releases. Maybe @dinosaure has an opinion on this. In either case we should probably make it more clear in the handbook where to find the binary releases from GitHub.

About what sha256 checksum to check against is a good question. The builds on builds.robur.coop use the latest system packages and opam (OCaml package manager) packages. Furthermore, we are building of different platforms: FreeBSD 14 and now debian 11 and debian 12 too. It is expected that different platforms will not reproduce the same binary. Updates in dependencies or system packages can also break reproducibility. However, enough information should be recorded that you should be able to reproduce the build (using orb). I was hoping the debian 12 build would reproduce the GitHub action / docker build, but unfortunately not.

The docker build (see the Dockerfile) pins the debian repository to a fixed snapshot. It also uses a fixed snapshot of the opam repository (the OCaml packages). Thus the builds are more stable and should consistently reproduce the same build.

So most likely you are interested in the GitHub build as it is most reproducible. On the other hand the builds.robur.coop builds will have the latest versions of dependencies including the latest fixes (and latest bugs).

ideologysec commented 2 weeks ago

It would be very useful to publish them as actual github releases. Building a Salt template to download and install the latest version a la Mirage Firewall is the thing that I am looking for or to do. Arbitrary strings in the GitHub Actions channel is maybe not the best way for that.

I am less interested in reproducibility (though I understand and agree with its importance), than I am installability.