Open Build Service

I propose the use of a dedicated package building system for Whonix project packages. The most advanced one I have found is the Suse developed Open Build System. Most important features are [1]: Supports a wide variety of distros and package formats. Can fetch from different collaborative coding platforms including Git. Supports different hardware architectures (think ARM support). Supports reproducible builds.

Besides being available as an online service, the build server software is available as an appliance package you can download and use locally. [2]

Open Build System is used by some major projects: Linux foundation and Tizen. [3]

The Open Build Service (OBS) is a generic system to build and distribute binary packages from sources in an automatic, consistent and reproducible way. You can release packages as well as updates, add-ons, appliances and entire distributions for a wide range of operating systems and hardware architectures.

[1] openSUSE:Build Service comparison - openSUSE Wiki
[2] Download - Open Build Service
[3] Open Build Service - Wikipedia


  • Whonix’s Debian Packages (Whonix · GitHub) already are built deterministically. (Verifiable Builds - Whonix)
  • related, Continuous Integration (CI): Dev/Continuous Integration - Whonix
  • All packages are currently built also on CI for debugging purposes in one go using build-steps.d/1200_create-debian-packages:
    (Although not that useful, since based on Ubuntu, not Debian as Whonix.) I noticed one or another build error (mostly due to forgetting to push git remotes) that therefore others don’t notice. Quite useful to iron out build errors. But that’s about it.
  • Setting up CI for each and every individual package would be a lot work and I don’t see the benefit of that.
consistent and reproducible way
I did some searching and I don't think they are using reproducible as synonym for deterministic. As far I understand, they're referring to reproducible in the simpler sense, just being able to repeat the build, not in the debian-reproducible sense, not as in byte for byte identical (deterministic).
Supports different hardware architectures (think ARM support).
I am not sure it would be security wise a great idea to deploy binary packages there were build on some CI server to end users.

Also also not eager to get ARM specific packages into Whonix’s repository without having a dedicated maintainer for ARM. Fortunately, Whonix doesn’t include any to be complied [at build time] code yet. To my knowledge there is no platform specific code yet. (Well, tb-updater, because The Tor Project does not ship ARM builds of TBB.) What Whonix ARM support needs next is a maintainer supporting that use case, perhaps a very few lines of changed code, building the image, maintaining it.

Can also build full OS images, appliances or VM's (KIWI)

Sounds terrific. Something that using CI’s I found is not possible due to their inherit limitations using OpenVZ.
Apparently appliance building is only supported for Suse?
(I briefly checked out KIWI / susestudio. They from suse are providing their community with some great dev tools, looks like. And I am all for great dev tools. :slight_smile: )


At my current knowledge, I don’t think I’ll be working on this.

Unless, have I missed any arguments in favor?

Having that said, anyone feel free to work on this.

At my current knowledge, I don't think I'll be working on this.

Unless, have I missed any arguments in favor?

Having that said, anyone feel free to work on this.

Nice write up on why it won’t work, I am not a dev so didn’t know much about the process. I wanted to run this by you just in case you found it more helpful.

One thing occurred to me. Since their CI is probably based on KVM, maybe it can be used to create Debian VM images. Worth trying.

Asked in their forums:

Got redirected. Asked on their mailing list: