Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
alessandrogario
11/14/2018, 10:43 PM@fmanco will it be possible to easily setup a system that builds a binary that has the same hash as the binary released upstream? (i'm talking about 100% reproducible builds)
f
fmanco
11/14/2018, 10:56 PMIn some sense yes. Buck is actually much better at guaranteeing reproducible builds than CMake. If you take a look at https://buckbuild.com/ this is the second thing highlighted. However we're not going to provide a toolchain anymore, so as far as you use the same toolchain this should be possible, but that's something that we're not providing, at least yet.
g
groob
11/14/2018, 10:59 PMso, the real answer is no, not possible
a
alessandrogario
11/14/2018, 11:01 PMIs the toolchain you are going to use internally public? Is it possible to replicate it?
💯 1
f
fmanco
11/15/2018, 2:42 AM@groob indeed no. But just to clarify are you talking about getting any distro building osquery and getting the exact same binary, or just building twice out of the same VM image giving the same binary?
@alessandrogario the toolchain we're going to use depends on the base system. We're still working out the details, but the idea is to install whatever comes with your distro and build out of that.
a
alessandrogario
11/15/2018, 2:44 AMI see; but doesn't that mean that osquery will have to build once for each supported system and distribution?
Having a standard toolchain is great right now because everything is almost 100% static and the same binaries (built once) can work everywhere
👍 1
And this makes it possible to output the same binary from two different systems if both are compiling from the same commit
f
fmanco
11/15/2018, 2:52 AMPossibly yes we would need to build for each os if we don't statically link everything. I'll check whether we'll be able to provide a toolchain as well. In fact the external build is something we're still finalising. What is clear is that toolchain will be out of the code dependencies (so you can build with whatever toolchain you like), but we can try to make it part of provisioning.
g
groob
11/15/2018, 2:53 AMstatic binaries are awesome. please keep them ❤️
f
fmanco
11/15/2018, 2:54 AMIndeed this would theoretically make it possible to have completely reproducible builds but AFAIK the current system doesn't do that either. If you build the same commit out of Ubuntu and Centos you'll get different binaries. Buck puts us in a better place to make this happen.
a
alessandrogario
11/15/2018, 2:54 AMA small note though; it is already possible to use an arbitrary toolchain (and call CMake directly without the current Makefile wrapper)
👍 1
f
fmanco
11/15/2018, 2:58 AM@groob yes we will. But if you look at the current binary it is not 100% statically linked, we still have some dynamic libs.
g
groob
11/15/2018, 2:59 AMthat’s mostly fine
a
alessandrogario
11/15/2018, 3:03 AMI think that having at least a small readme that shows how build the same toolchain used upstream is really important
f
fmanco
11/15/2018, 10:13 AMWhat exactly do you mean by upstream? Notice that we'll test everything and build packages out of a public toolchain (either provided by us or packaged by the distro).