Recently the launch of ”Rebuilderd” was announced which is positioned as an independent verification system for binary packages which allows to organize the verification of the packages of a distribution by implementing a running build process that compares the downloadable packages with the packages received as a result of the rebuild on the local system.
In other words, this system provides a service that monitors the status of the packet index and automatically start rebuilding new packages in the reference environment, whose state is synchronized with the environment settings Arch Linux main build package.
When compiling again, nuances such as the exact correspondence of the dependencies are taken into account, the use of compositions and unchanged versions of the build tools, the identical set of options and default settings, and the preservation of the file assembly order (using the same sorting methods).
The build process settings exclude the compiler from adding inconsistent overview information such as random values, links to file paths, and data about the compilation date and time.
About Rebuilderd
Currently only experimental support is available for checking Arch Linux packages with rebuilderd, but plans to add Debian support soon.
Currently, repeatable builds are provided for 84.1% of packages from the main Arch Linux repository, he 83.8% from the extras repository and 76.9% from the community repository. For comparison, in Debian 10 this figure is 94,1%.
Whereas, builds are an important part of security as they allow you to give any user the opportunity to ensure that the byte-for-byte packages offered by the distribution package match those personally compiled from source.
Without the ability to verify the identity of the compiled binary, the user can only blindly trust someone else's build infrastructure, compromising the compiler or compilation tools where it can lead to hidden marker substitution.
Installation and execution
In the simplest case, to run rebuilderd it is enough to install the rebuilderd package from the normal repository, import the GPG key to verify the environment and activate the corresponding system service. It is possible to implement a network of multiple rebuilt instances.
To install, we must open a terminal and in it we type the following command:
sudo pacman -S rebuilderd
Done this, now we must import the GPG key, since Rebuilderd must verify the Arch Linux boot image, for this in the terminal we will have to type the following command:
gpg --auto-key-locate nodefault,wkd --locate-keys pierre@archlinux.de
After this we have to add our user to the Rebuilderd group, since we may receive an error:
usermod -aG rebuilderd $USER
Now we simply have to verify that Rebuilderd is already running about the system, for this, we just have to type:
rebuildctl status
And in case we want to share results on the network, we have to type:
systemctl enable –now rebuilderd rebuilderd-worker @ alpha
Now it is important to take into account that Rebuilderd will not come into action until it is explicitly specified from where the system packages are synchronized, for this we have to modify the /etc/rebuilderd-sync.conf file where the synchronization profiles are configured and that profile names are unique:
An example of this is the following:
## rebuild all of core
[profile."archlinux-core"]
distro = "archlinux"
suite = "core"
architecture = "x86_64"
source = "https://ftp.halifax.rwth-aachen.de/archlinux/core/os/x86_64/core.db"
## rebuild community packages of specific maintainers
#[profile."archlinux-community"]
#distro = "archlinux"
#suite = "community"
#architecture = "x86_64"
#source = "https://ftp.halifax.rwth-aachen.de/archlinux/community/os/x86_64/community.db"
#maintainer = ["somebody"]
Once the file has been modified, you simply have to enable the timer to automatically synchronize the profile:
systemctl enable --now rebuilderd-sync@archlinux-core.timer
Finally if you want to know more about Rebuilderd, they should know that it is written in Rust and is distributed under the GPLv3 license and you can check all its details and the code In the following link.