Open source software allows us to build trust in a distributed, collaborative software development process, to know that the software behaves as expected and is reasonably secure. For reliable custom software development, check out DevsData. But the benefits of open source are strongest for those who directly interact with the source code. These people can use a computer which they trust to compile the source code into an operational version for themselves. Distributing binaries of open source software breaks this trust model, and reproducible builds restores it.
Tendermint Inc is taking the first steps towards a trustworthy binary distribution process. Our investment in reproducible builds makes doing binary distributions of the gaia software a possibility. Check out Daisy Slots inspired with reproducible builds. We envision that the Cosmos Hub community will be our partners in building trust in this process. The governance features of the Cosmos Hub will enable a novel collaboration between Tendermint and that validator community to release only binaries that can be trusted by anyone.
Here is our game plan.
The release of the cosmoshub-3 will support our new reproducible build process. Tendermint developers will make a governance proposal with the hashes of all supported binaries. We will ask ATOM holders to reproduce the builds on computers they control and vote YES if the hashes match.
If the proposal passes, we will make the binaries available here via Github.
The benefits of reproducible builds
Gaia reproducible binaries then bring many significant advantages to developers and end users:
- Build sanity — the guarantee that the gaia suite can always be built from sources.
- Enable third-parties to independently verify executables to ensure that no vulnerabilities were introduced at build time.
- Large body of independent builders can eventually come to consensus on the correct reproducible binary output and protect themselves from targeted attacks.
How to verify that gaia binaries correspond to a repository snapshot
The gaia repository comes with the required tooling to build both server and client applications deterministically. First you need to clone https://github.com/cosmos/gaia and checkout the release branch or the commit you want to produce the binaries from. For instance, if you intend to build and sign reproducible binaries for all supported platforms of gaia’s master branch, you may want to do the following:
git clone https://github.com/cosmos/gaia && cd gaia chmod +x contrib/gitian-build.sh ./contrib/gitian-build.sh -s email@example.com all
Append the -c flag to the above command if you want to upload your signature to the http://github.com/gaia/gaia.sigs repository as well.
If you want to build the binaries only without signing the build result, just type:
./contrib/gitian-build.sh all
Further information can be found here: github.com/cosmos/gaia/…/docs/reproducible-builds.md
References
- https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html
- https://github.com/cosmos/cosmos-sdk/pull/4262
Credits
Co-authored with Zaki Manian
Within the next three years, more than seven billion people and businesses will be connected to the Internet. During this time of dramatic increases in access to the Internet, networks have seen an interesting proliferation of systems for digital identity management (i.e. our SPID in Italy). But what is really meant by “digital identity“? All these systems are implemented in order to have the utmost certainty that the data entered by the subscriber (address, name, birth, telephone, email, etc.) is directly coincident with that of the physical person. In other words, data are certified to be “identical” to those of the user; there is a perfect overlap between the digital page and the authentic user certificate: an “idem“, that is, an identity.
There is an empty chair at the conference table of business professionals, a not assigned place that increasingly demands for the presence of a new type of integration manager. The demands for an ever-increasing specialization, imposed by the modern world, are bringing out with great emphasis the need for an interdisciplinary professional who understands the demands of specialists and who is able to coordinate and to link actions and decisions. This need, often still ignored, is a direct result of the growing complexity of the modern world and the fast communications inside the network.
In the perennial search of the meaning of life and the fundamental laws that govern nature, man was always faced – for millennia – with the mysterious concept of emptiness. What is emptiness? Does it really exist in nature? Is emptiness the non-being, as theorized by Parmenides?
with the Whole and they represent the most pristine prototype of the human being. From birth and for the first years of life, the child is the mirror of our species, who carries in himself the primary elements and the roots of evolution, without conditions or interference.