Is Whonix reproducible yet? [backdoor protection]

Is Whonix reproducible yet?

Far from it.

  • Debian packages are not all reproducible yet.
  • Even if they were. It’s reproducible built packages - not reproducible installed packages.
  • And even if they were reproducible installed packages, we’d still did not have reproducible Debian raw images.
  • If we had reproducible reproducible Debian raw images, we’d have to check see if reproducible ova (VirtualBox) and qcow2 (KVM) images can be build from those.

Whonix’s packages are reproducible on my build machine. When I rebuild them several times, they always have the exact checksum. A lot work was done for Whonix 14 porting Whonix package builds to cowbuilder. This was required as basis for further enhancements.

Not using ReproducibleBuilds/ExperimentalToolchain yet. TODO: ticket

Even if that was implemented, we’d still need people to reproduce these packages and check they are really reproducible. Given there were people with various system configurations able to reproduce these packages, probably not much work is required to fix non-determinism.

And even if we had this, we’d still need automation. Having various organizations, individuals that run servers that randomly fetch Whonix packages from Whonix repository, rebuild those, compare checksums and differences, report non-determinism bugs. Doing the same for Whonix images. Debian also has not automation for that yet, but they are aware of it and want to create such automation as well as reproducible Debian iso’s. Once Debian has automation scripts for that, I hope that Whonix can partially reuse them.

Long way to go. Faster if you help.