We already have deterministic packaging in some parts of Firefox (notably
most XPIs and omni.ja files). We've done this by implementing our own
jar/zip archiving layer (
https://dxr.mozilla.org/mozilla-central/source/python/mozbuild/mozpack/mozjar.py)
which pins times, sorts files before writing, etc. We just haven't applied
this to all parts of packaging yet. We know what we have to do here.
>
>
>
https://bugzilla.mozilla.org/show_bug.cgi?id=885777#c22
>
> > Docker images are notoriously not very reproducible (because `yum
> update/install` installs the latest version of packages advertised on
> servers and that can change over time).
>
> Does this affect file bit-to-bit comparison between what can be downloaded
> from
https://www.mozilla.org/en-US/firefox/all/ and what can be built
> from source?
>
> > However, paranoid people will want to reproduce those independently.
> It's turtles all the way down of course. The question is how far do we want
> to go.
>
> In my opinion, enabling independent organization to point out whether what
> can be downloaded from
https://www.mozilla.org/en-US/firefox/all/ has
> been altered would be an amazing first milestone.
> I wouldn't worry too much about "paranoid people" for now.
>
> > We /could/ publish the Docker images Mozilla uses (they are probably
> already public for all I know).
>
> Publishing the images used by Mozilla would probably be enough for now
> IMHO. People can always audit the image by traversing the image file system
> to see whether they find something fishy.
>
> Does a comparable build seems like a good end-goal?
>
A significant obstacle to even comparable builds is "private" data embedded
within Firefox. e.g. Google API Keys. I /think/ we're also shipping some
DRM blobs. Then of course there is build signing, which takes a private key
and cryptographically signs builds/installers. With these in play, there is
no way for anybody not Mozilla to do a bit-for-bit reproduction of most
(all?) of the Firefox distributions at
https://www.mozilla.org/en-US/firefox/all/. The best we can do is ask you
to compare the extracted/packaged files and compare them - modulo pieces
like the Google API Key - to what a 3rd party entity has produced.
Unfortunately, I'm not sure that will be trivial, as I believe these
private blobs of data are embedded within libxul. So your comparison tool
would have to know how to read library headers and possibly even assembly
code. At some point, the ability to audit a Firefox distribution is
undermined enough that a security professional may not feel comfortable
saying it looks good.
So when I asked what the end goal is, I'm really asking non-Mozilla groups
what an acceptable level of reproducibility is. While I agree
deterministic, reproducible builds have a number of positive traits
(including caching for the build system to make builds faster!), I see
enough obstacles for satisfying the intent of security-minded groups that I
question whether it is worth doing for those groups alone. Right now, Tor
and Debian can both build Firefox in a mostly reproducible manner. And our
policy on the build system is that any patches they write to achieve that
goal will (likely) be taken upstream. I just don't know if it is worth our
effort to work on additional reproducibility efforts given limitations
reproducing what *Mozilla* actually ships.