Title: Please try to build Tails reproducibly
Date: 2017-08-18 17:50

Nine days ago, an
[email](https://mailman.boum.org/pipermail/tails-dev/2017-August/011591.html)
was sent on `tails-dev boum.org`, asking for help about building
[Tails](https://tails.boum.org) in a
reproductible way, and since not everyone is reading this mailing list,
I thought about writing about this email here.

[![Tails logo]({static}/images/tails-logo-flat.png)](https://tails.boum.org)

If you're looking for a simple (and valuable) way to help the Tails project,
but have no time, can't write code, do system administration, draw, translate,
design, … there is still a way: building Tails. The build process is now pretty
straightforward (thanks to [Vagrant](https://www.vagrantup.com/)
and other assorted black-magic wizardry), but the big news is that it should now
be possible to build Tails in a reproductible way!

This has pretty cool implications:

- The Tails dev can now rely on an untrusted third party for the whole release process,
  and only check at the end that the checksum of the image is the same, and if it
  is, to sign it, without having to hand the holy signing keys to the
  aforementioned party.
- Everyone can check that the Tails image available for downloading was
  effectively built from the source, this increasing the confidence.
- It becomes trickier for an attackers to backdoor the image, since they would
	have backdoor the sources too.

This *feature* being still in an experimental stage, it would be super-nice if
you could run a couple of commands, and try to build the exact same image than
the official Tails 3.1 one! It doesn't take long, your feedback is super valuable,
it only takes some disk space and CPU, … you don't have any excuse for not giving it a try.

The verbatim email is below, have fun!

---

Dear Tails and Tor contributors,
dear Reproducible Builds community,

As you might know, [Tails][1] has received the [Mozilla Open Source
Software award](https://wiki.mozilla.org/MOSS) (MOSS) to make Tails ISO images build reproducibly.
Since this project has started, less than a year ago, we've made huge
progress and we've finally seen some ISO images build reproducibly on
the build environments of our core developers as well as on our
isobuilder machines. (See [our][a] [previous][b] [reports][c]).

However, there are still some remaining issues which we'd like to know
more about in order to fix them. That's why we are asking for your
help: Please try and build the Tails 3.1 ISO image and report your
findings back to us. You will find all instructions for doing so
hereafter. Please don't hesitate to contact us if you get stuck at some
point in the process, for example by connecting to our [chatroom][3].
You can also send us email to `tails-dev at boum.org` (public) or
`tails at boum.org` (private).

# How?

For your convenience all instructions needed to attempt to reproduce
Tails 3.1 are included hereafter. However all commands are
adapted for Debian Stretch (and Buster/Sid), so your results may vary if
you run another Linux distribution. Our [full build instructions][4]
might help if you are having problems.

## Setup the build environment

Building Tails requires the KVM virtual machine hypervisor to be
available, a minimum of 1 GiB of free RAM and a maximum of 20 GB of
free storage.

### Install dependencies

```bash
sudo apt-get install \
    git \
    rake \
    libvirt-daemon-system \
    dnsmasq-base \
    ebtables \
    qemu-system-x86 \
    qemu-utils \
    vagrant \
    vagrant-libvirt \
    vmdebootstrap && \
sudo systemctl restart libvirtd
```

### If building as a non-root user

(Skip this section if you intend to build Tails as the root user!)

Make sure that the user that is supposed to initiate the build is part
of the relevant groups:

```bash
for group in kvm libvirt libvirt-qemu; do sudo adduser $user $group; done
```

Then run `newgrp` (or just reboot) to apply the new group memberships
to the session.

## Build Tails 3.1

```bash
git clone https://git-tails.immerda.ch/tails
cd tails
git checkout 3.1
git submodule update --init
rake build
```

# Send us feedback!

No matter how your build attempt turned out we are interested in you
sending us feedback. For that we'll first need some information of the
system you used -- please run these commands in the exact same
terminal session that you ran `rake build` in (e.g. run them right
after `rake build`)!

```bash
sudo apt install apt-show-versions || :
(
    for f in /etc/issue /proc/cpuinfo
    do
    echo "--- File: ${f} ---"
    cat "${f}"
    echo
    done
    for c in free locale env 'uname -a' '/usr/sbin/libvirtd --version' \
            'qemu-system-x86_64 --version' 'vagrant --version'
    do
    echo "--- Command: ${c} ---"
    eval "${c}"
    echo
    done
    if which apt-show-versions >/dev/null
    then
    echo '--- APT package versions ---'
    apt-show-versions qemu:amd64 linux-image-amd64:amd64 vagrant \
                        libvirt0:amd64
    fi
) | bzip2 > system-info.txt.bz2
```

Please have a look at the generated file with

```bash
bzless system-info.txt.bz2
```

to make sure it doesn't contain any sensitive information you do not
want to leak in case you send this file to us or make it public!

Next, please follow the instructions below that match your situation!

## If the build failed.

Please open a ticket on [our bug tracker][5] with "Category" set to
"Build system" and `system-info.txt.bz2` attached (note that this makes
this file public).

## If the build succeeded ...

Please compute the SHA-512 checksum of the resulting ISO image:

```bash
sha512sum tails-amd64-3.1.iso
```

and compare it to:

```bash
843427fa13446c4b7134a10d3269b693317bbb898759e9d4e5dd8a25583372bed767e575974f5ca0229f1b44a99d4c7b64872c3dc433c0caf8965961cac9fb30
```

### Use the SHA256sum from our signed upgrade files instead

This is optional, but if you want to use an authenticated checksum,
you can find the sha256 checksum in our upgrade files:
[https://tails.boum.org/upgrade/v1/Tails/3.0.1/amd64/stable/upgrades.yml](https://tails.boum.org/upgrade/v1/Tails/3.0.1/amd64/stable/upgrades.yml)
.. which are signed by the [Tails signing key][7]:
[https://tails.boum.org/upgrade/v1/Tails/3.0.1/amd64/stable/upgrades.yml.pgp](https://tails.boum.org/upgrade/v1/Tails/3.0.1/amd64/stable/upgrades.yml.pgp)

The SHA256 checksum should be:
`0ef1c7d880308ee9f98c255b2658b75445cc84622eae2944a342dcc50cea71c7`

### ... and the checksums match (i.e. reproduction succeeded).

Congrats for successfully reproducing Tails 3.1! Please send an email
to `tails-dev at boum.org` (public) or `tails at boum.org` (private) with the
subject "Reproduction of Tails 3.1 successful" and attach
`system-info.txt.bz2` to it.

### ... and the checksums differ (i.e. reproduction failed).

Now you are in a great position to help Tails improve its
reproducibility! Please install
[`diffoscope`][8] version `83` or higher. If you
run Debian Stretch, that is:

```bash
echo 'deb http://ftp.debian.org/debian stretch-backports main' \
    | sudo tee /etc/apt/sources.list.d/stretch-backports.list && \
sudo apt update && \
sudo apt -o APT::Install-Suggests="true" \
            -o APT::Install-Recommends="true" \
            install diffoscope
```

Then download the [official Tails 3.1 ISO image][6] and compare it to yours:

```
diffoscope \
    --text diffoscope.txt \
    --html diffoscope.html \
    --max-report-size 262144000 \
    --max-diff-block-lines 10000 \
    --max-diff-input-lines 10000000 \
        path/to/official/tails-amd64-3.1.iso \
        path/to/your/tails-amd64-3.1.iso && \
bzip2 diffoscope.*
```

Please send an email to `tails-dev at boum.org` (public) or `tails at boum.org`
(private) with the subject "Reproduction of Tails 3.1 failed" and
attach `system-info.txt.bz2` to it. We also want you attach one (the
smallest!) of `diffoscope.txt.bz2` and `diffoscope.html.bz2` to the email,
but if they are "big" (say >100 KiB) then please don't bomb our mail
inboxes! Instead upload the file to some web-based file-sharing
service (we'd recommend [RiseUp][9]) and include the link(s) in the email.

Thank you very much for your interest and help!

Cheers!
The Tails project

[1]: http://tails.boum.org
[a]: https://tails.boum.org/news/report_2017_06/
[b]: https://tails.boum.org/news/report_2017_05/
[c]: https://mailman.boum.org/pipermail/tails-dev/2017-March/011297.html
[3]: https://tails.boum.org/support/#talk
[4]: https://tails.boum.org/contribute/build
[5]: https://labs.riseup.net/code/projects/tails/issues/new
[6]: http://dl.amnesia.boum.org/tails/stable/tails-amd64-3.1/tails-amd64-3.1.iso
[7]: https://tails.boum.org/news/signing_key_transition/
[8]: https://diffoscope.org/
[9]: https://share.riseup.net/