Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature request for Reproducible builds support information #467

Closed
Xynnn007 opened this issue Aug 8, 2021 · 2 comments
Closed

feature request for Reproducible builds support information #467

Xynnn007 opened this issue Aug 8, 2021 · 2 comments

Comments

@Xynnn007
Copy link

Xynnn007 commented Aug 8, 2021

Description of issue or feature request:
Hi all, I'm working on Reproducible Builds. I'm searching for a standard specification for
presentation of the build environment(including toolchain, arch, dependencies, even timestamp and etc). In-toto gives a pretty good sketch for supply chain. However, to support reproducible build scenary, I think it will be a good choice to add more fields in in-toto's spec of link file, which describes the reproducible environment information to help the client reproduce the product, if needed.

Current behavior:
In 4.4 section of in-toto spec, link file gives out a roughly environment info(ENVs, fs and workdir). But to reproducibly build a software or a product, we need more detailed information of the build environment.

Expected behavior:
Concretely, a option field which provides more detailed information about the build environment in the link file. For those software supply chain components who need strong security ensurance, the layout can tell any client to reproduce specific step
based on the information of build environment provided, to check for the correctness of the product of the step. For those components which do not need reproducibility, this new option field can be ignored, and a client can only check as 5.2 section Verifying the final product of spec says.

Thanks.
@adityasaky
Copy link
Member

Hi @Xynnn007, thank you for opening the ticket. Strictly speaking about the environment field, I should note that the three subfields listed in the spec are examples, and env can contain other arbitrary information.

However, have you taken a look at the in-toto provenance specification? You can find it here: https://slsa.dev/provenance/v0.1. Tied into the https://github.com/in-toto/attestation, it may already contain the fields you're looking for. Also, consider that buildinfo files can be recorded as materials of the verification step, and they contain some of the environment information you may be thinking of.

cc @SantiagoTorres

@Xynnn007
Copy link
Author

Thanks for your response!
Sorry for not paying attention to the two materials you've mentioned. I'll read them all.
Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adityasaky @Xynnn007