Open source software allows us to build trust in a distributed, collaborative software development process, to know that the software behaves as expected and is reasonably secure. But the benefits of open source are strongest for those who directly interact with the source code. These people can use a computer which they trust to compile the source code into an operational version for themselves. Distributing binaries of open source software breaks this trust model, and reproducible builds restores it.
Tendermint Inc is taking the first steps towards a trustworthy binary distribution process. Our investment in reproducible builds makes doing binary distributions of the gaia software a possibility. Check out Daisy Slots inspired with reproducible builds. We envision that the Cosmos Hub community will be our partners in building trust in this process. The governance features of the Cosmos Hub will enable a novel collaboration between Tendermint and that validator community to release only binaries that can be trusted by anyone.
Here is our game plan.
The release of the cosmoshub-3 will support our new reproducible build process. Tendermint developers will make a governance proposal with the hashes of all supported binaries. We will ask ATOM holders to reproduce the builds on computers they control and vote YES if the hashes match.
If the proposal passes, we will make the binaries available here via Github.
The benefits of reproducible builds
Gaia reproducible binaries then bring many significant advantages to developers and end users:
- Build sanity — the guarantee that the gaia suite can always be built from sources.
- Enable third-parties to independently verify executables to ensure that no vulnerabilities were introduced at build time.
- Large body of independent builders can eventually come to consensus on the correct reproducible binary output and protect themselves from targeted attacks.
How to verify that gaia binaries correspond to a repository snapshot
The gaia repository comes with the required tooling to build both server and client applications deterministically. First you need to clone https://github.com/cosmos/gaia and checkout the release branch or the commit you want to produce the binaries from. For instance, if you intend to build and sign reproducible binaries for all supported platforms of gaia’s master branch, you may want to do the following:
git clone https://github.com/cosmos/gaia && cd gaia chmod +x contrib/gitian-build.sh ./contrib/gitian-build.sh -s email@example.com all
Append the -c flag to the above command if you want to upload your signature to the http://github.com/gaia/gaia.sigs repository as well.
If you want to build the binaries only without signing the build result, just type:
Further information can be found here: github.com/cosmos/gaia/…/docs/reproducible-builds.md
Co-authored with Zaki Manian