On 2016-07-18 2:56 PM, Gregory Szorc wrote: > A significant obstacle to even comparable builds is "private" data embedded > within Firefox. e.g. Google API Keys. I /think/ we're also shipping some > DRM blobs. Then of course there is build signing, which takes a private key > and cryptographically signs builds/installers. With these in play, there is > no way for anybody not Mozilla to do a bit-for-bit reproduction of most > (all?) of the Firefox distributions at > https://www.mozilla.org/en-US/firefox/all/. The best we can do is ask you > to compare the extracted/packaged files and compare them - modulo pieces > like the Google API Key - to what a 3rd party entity has produced. > Unfortunately, I'm not sure that will be trivial, as I believe these > private blobs of data are embedded within libxul. So your comparison tool > would have to know how to read library headers and possibly even assembly > code. At some point, the ability to audit a Firefox distribution is > undermined enough that a security professional may not feel comfortable > saying it looks good.
These API keys are all written into nsURLFormatter.js: <http://searchfox.org/mozilla-central/source/toolkit/components/urlformatter/nsURLFormatter.js#117>. AFAIK none of these keys are written into libxul. But at any rate, since these keys are not secrets (as we distribute them inside the builds!) you can always pass the identical keys in to the build system and should be able to get a bit-identical key out, right? _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
