[Nix-dev] Deterministic(bit-perfect) Builds

[phreedom at yandex.ru]

В письме от Вторник 25 июня 2013 15:40:11 пользователь Marc Weber написал:
> Hi Evgeny Egorochkin,
> 
> I've created this page long time ago:
> https://nixos.org/wiki/Nix_impurities
> 
> So how do you exactly "fix" those impurities?

Not all these impurities need to be fixed. In fact it's enough to simply 
terminate the build if it does something really unusual and ask the user  to 
patch it. If the build system really wants to break purity, it can launch a 
benchmarking attack anyway. But then again such a build system can be quickly 
found and patched assuming that 99.9% of other packages build reliably. 

I have hard time coming up with any way to weaponize benchmarking. It can be 
used to roughly identify the building machine.If the number of users is small, 
it can compile in a backdoor targetted to a paranoid user who compiles 
everything from source if this user's hardware config is known and unique. But 
this requires that the source code is already compromised so all these tricks 
are probably useless.

> Maybe consider updating that wiki adding a line
> "fixed by doing X"
As I said, I'd rather identify the rare build that does most of those nasty 
things and fix it.

I would try intercepting and sanitizing date, uname, /proc/meminfo. let file 
access to the build dir and nix store flow freely and abort for everything else 
+- some minor tweaks. Shouldn't be too hard and would cover a very large 
subset of builds. There might be some nastiness with tests though :(