Delta Chat Reproducible Build

What is the status of Delta Chat with regard to reproducible builds? (I.e., a guarantee that the binary build corresponds precisely to the source input (or the advertised source input).)

See:

1 Like

There were no efforts to make DC builds reproducible so far because this would be quite some effort, esp. as we are developing a core in Rust and 3 different uis.

Thanks for your response. I was afraid the answer might be something
along those lines.

I would like to point out, as someone not involved in the development
of Delta Chat (and therefore it’s easy for me to say), the following:

  1. Applications like Delta Chat are a prime target for nation state
    compromise.

  2. The open source nature of Delta Chat means that binary build
    injection techniques are definitely on the menu.

  3. Binary injection during the build process is, for all practical
    purposes, undetectable without repoducible builds.

  4. Such binary injections are able to cause catastrophic loss of
    security properties.

  5. Certain groups of Delta Chat users may have a lot riding on the
    integrity of the Delta Chat application.

What I am saying is that reproducible builds is not a nice-to-have,
but an essential property of the software, given its intended
application areas.

Naturally, there are other threat vectors, such as operating system
level compromise (Android, iOS and so on). But many of those issues
are outside of the control of the Delta Chat developers. Although
reproducible builds are difficult, they are not outside the control of
Delta Chat developers.

I would therefore recommend that reproducible builds be explicitly
entered somewhere into the list of priorities for future work on Delta
Chat.

Once again, I’m not saying that it’s either quick or easy to do. I’m
just saying it’s necessary.

David

1 Like

To be exact, the lack of accessibility to main sources by people in restricted nations like Cuba, already increase the risk of undetected binary injections or third party non-reliable modified builds as third party sources are the main way to obtain the app in many cases.

As for Session, in difference to Delta Chat apk releases, provides, at least, checksums and extra signatures for every provided build (https://github.com/loki-project/session-android/releases) in which some “issues” finished in a few faulty hashes in some older releases with the time which was already criticized by the community, including me (https://github.com/loki-project/session-android/issues/179).

The problem of using binaries from untrusted sources is already solved
by publishing signed cryptographically secure checksums of the
official binary releases, like the Debian project does. It would
appear, therefore, that you have not yet appreciated the problem that
reproducible builds solve. The problem is that the Delta Chat
developers /themselves/ do not know, without having reproducible
builds, if they are distributing compromised binaries.

Of course, it is also not an argument that because some users may not
benefit, then all users will be made to suffer the same fate.

David

I was… supporting your proposition from the beginning… and just added the extra case of Session for, at least, a little advantage…

Thank you. Apologies for the misunderstanding.

David

1 Like

The first step is to get reproducible builds for the core library, and it depends on this issue being solved: https://github.com/rust-lang/rust/issues/34902

It makes sense to try something like this https://github.com/rust-lang/rust/issues/50556 with the core library and report if it does not build the same binary.

Yes, that seems a good place to begin.

David

In case anyone is interested in this:

On 18th September, Bernhard M. Wiedemann will give a presentation in German, titled Wie reproducible builds Software sicherer machen (“How reproducible builds make software more secure”) at the Internet Security Digital Days 2020 conference.

Of interest:

After many years of development work, the compiler for the Rust programming language now generates reproducible binary code. This generated some general discussion on Reddit on the topic of reproducibility in general.

1 Like

@David_Trudgett from the link you posted:

OK, well results for 1.45.0 say “unreproducible” again, and the auto-generated diff did not complete after 2 hours. Shall I open an issue for CI integration tests on this? If I understand correctly there are concerns about it taking up too much resources, or something.