Le lundi 18 juillet 2016 20:57:12 UTC+2, Gregory Szorc a écrit : > On Sun, Jul 17, 2016 at 9:38 AM, David Bruant <bruan...@gmail.com> wrote: > > We already have deterministic packaging in some parts of Firefox (notably > most XPIs and omni.ja files). We've done this by implementing our own > jar/zip archiving layer ( > https://dxr.mozilla.org/mozilla-central/source/python/mozbuild/mozpack/mozjar.py) > which pins times, sorts files before writing, etc. We just haven't applied > this to all parts of packaging yet. We know what we have to do here.
Out of curiosity, do you have a bug number tracking this work off-head? > A significant obstacle to even comparable builds is "private" data embedded > within Firefox. e.g. Google API Keys. I /think/ we're also shipping some > DRM blobs. Then of course there is build signing, which takes a private key > and cryptographically signs builds/installers. With these in play, there is > no way for anybody not Mozilla to do a bit-for-bit reproduction of most > (all?) of the Firefox distributions at > https://www.mozilla.org/en-US/firefox/all/. The best we can do is ask you > to compare the extracted/packaged files and compare them - modulo pieces > like the Google API Key - to what a 3rd party entity has produced. > Unfortunately, I'm not sure that will be trivial, as I believe these > private blobs of data are embedded within libxul. So your comparison tool > would have to know how to read library headers and possibly even assembly > code. At some point, the ability to audit a Firefox distribution is > undermined enough that a security professional may not feel comfortable > saying it looks good. Blah, anything that's more than unzip + file traversal (with blacklist) + byte comparison seems too complicated to audit to be worth it. I'm delighted to read the followup answers explaining some things are downloaded on Firefox first run. For the private data, I'm tempted to ask whether these could be in a separate file (which the comparator could safely ignore) and loaded dynamically, but I guess there is a trade-off to address with Mozilla's willingness of keeping them "private". In any case, thank you for your answer! David _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
