pakket icon indicating copy to clipboard operation
pakket copied to clipboard

Published 20 hours ago verified publisher icon bookingcom

Verification command for interpreter-based packages

Open xsawyerx opened this issue 8 years ago • 4 comments

If we store with every interpreter-based package the checksum of the binary it was compiled against, we could then use that to verify we're running against the same binary on the target machine.

pakket verify perl /usr/bin/perl

This will check that all the packages in the perl category have the same checksum for their interpreter as the checksum for /usr/bin/perl.

xsawyerx avatar Sep 05 '16 15:09 xsawyerx

So it's assumed that code will run on the same machine it was built on? Using literally the same interpreter binary? If not, are you sure that building the same source on different machines will produce exactly the same binary?

ksurent avatar Sep 06 '16 12:09 ksurent

This wasn't very clear because I wrote it in a rush.

The idea is that when you have an interpreter-based package, you checksum the interpreter you built against and you save that checksum in the package's metadata. Then when you call pakket verify, you give a package (or a category) and a binary you will use as the interpreter. This will tell you if it's the same interpreter that was used when you built the package.

Having the backstory would be useful, I didn't include this. We had built everything on a chroot and then moved it to the production machine. We then realized it fails during runtime (not compile-time) because there is binary incompatibility. It wasn't the perl interpreter version but an RPM release of it which included extra patches which changed the binary compatibility.

Being able to run pakket verify perl /usr/bin/perl would allow us to make sure all the "perl" packages we have were built against the same /usr/bin/perl binary.

xsawyerx avatar Sep 06 '16 13:09 xsawyerx

Right, I understand that. But my question still remains. Consider this. You build perl 5.24.0 on your build machine from source and then use it to build some Perl XS modules. You then install those modules on a different machine that also has perl 5.24.0 built from source (no extra patches or anything like that). Even though both interpreters have the same version and ABI, they might have different checksums. So to rephrase my question: are you sure that building perl from source is 100% reproducible? Without that, IMO, verification does not make a lot of sense.

ksurent avatar Sep 07 '16 10:09 ksurent

This was discussed and resolved in person. For the record, I want to clarify what this issue is about:

We want to provide some assurance that the packages will work on said binary. While this is a very hard problem to solve, we reduce it to the following question: Is this the exact same binary that was used for building? If the answer is "yes", we know for sure, 100%, that it will work with it. If the answer is "no", it might still work, but we don't know for sure.

xsawyerx avatar Sep 07 '16 12:09 xsawyerx