Is Whonix reproducible yet? [backdoor protection]

Is Whonix reproducible yet?

Far from it.

  • Debian packages are not all reproducible yet.
  • Even if they were. It’s reproducible built packages - not reproducible installed packages.
  • And even if they were reproducible installed packages, we’d still did not have reproducible Debian raw images.
  • If we had reproducible reproducible Debian raw images, we’d have to check see if reproducible ova (VirtualBox) and qcow2 (KVM) images can be build from those.

Whonix’s packages are reproducible on my build machine. When I rebuild them several times, they always have the exact checksum. A lot work was done for Whonix 14 porting Whonix package builds to cowbuilder. This was required as basis for further enhancements.

Not using ReproducibleBuilds/ExperimentalToolchain yet. TODO: ticket

Even if that was implemented, we’d still need people to reproduce these packages and check they are really reproducible. Given there were people with various system configurations able to reproduce these packages, probably not much work is required to fix non-determinism.

And even if we had this, we’d still need automation. Having various organizations, individuals that run servers that randomly fetch Whonix packages from Whonix repository, rebuild those, compare checksums and differences, report non-determinism bugs. Doing the same for Whonix images. Debian also has not automation for that yet, but they are aware of it and want to create such automation as well as reproducible Debian iso’s. Once Debian has automation scripts for that, I hope that Whonix can partially reuse them.

Long way to go. Faster if you help.

Debian raw images should be now reproducible.

Bookworm: All official images are reproducible

ReproducibleInstalls/LiveImages - Debian Wiki

Automated tests for verification of the reproducible build of the live images are running on Jenkins

reproducible_debian_live_build_xfce_bookworm #134 [Jenkins]

The wiki says Tails builds aren’t deterministic yet, but it seems they are now.

Tails - Have your cake and eat it, too!

Tails - Verifying a Tails image for reproducibility

But who is actually reproducing?

Reproduction is similar to audited financials. While an accounting company can prepare the books these need to be audited by an independent third-party.

Who would be the auditor?

The idea is anyone can build it themselves to verify the hash is the same. So that could be you, me, or someone else.

That sounds like anyone can review the source code. Sounds nice in theory but without coordinated effort always doing that the value of that is rather hypothetical.

I would be willing to do it. So would others. There’s an entire group dedicated to the issue. https://reproducible-builds.org/

How you’ll reproduce official Debian images?