Thanks to a Mozilla Open Source Software award, we have been working on making the Tails ISO images build reproducibly. We have made huge progress: since a few months, ISO images built by Tails core developers and our CI system have always been identical. But we're not done yet and we need your help! Our first call for testing build reproducibility in August uncovered a number of remaining issues. We think that we have fixed them all since, and we now want to find out what other problems may prevent you from building our ISO image reproducibly. Please try to build an ISO image today, and tell us whether it matches ours! Build an ISO These instructions have been tested on Debian Stretch and testing/sid. If you're using another distribution, you may need to adjust them. If you get stuck at some point in the process, see our more detailed build documentation and don't hesitate to contact us:
- Install the build dependencies:
sudo apt install \ git \ rake \ libvirt-daemon-system \ dnsmasq-base \ ebtables \ qemu-system-x86 \ qemu-utils \ vagrant \ vagrant-libvirt \ vmdebootstrap && \ sudo systemctl restart libvirtd
- Ensure your user is in the relevant groups:
for group in kvm libvirt libvirt-qemu ; do sudo adduser "$(whoami)" "$group" done
- Logout and log back in to apply the new group memberships.
Send us feedback! No matter how your build attempt turned out we are interested in your feedback. Gather system information To gather the information we need about your system, run the following commands in the terminal where you've run
git clone https://git-tails.immerda.ch/tails && \ cd tails && \ git checkout 3.2-alpha2 && \ git submodule update --init && \ rake build
Then check that the generated file doesn't contain any sensitive information you do not want to leak:
sudo apt install apt-show-versions && \ ( for f in /etc/issue /proc/cpuinfo do echo "--- File: $ f ---" cat "$ f " echo done for c in free locale env 'uname -a' '/usr/sbin/libvirtd --version' \ 'qemu-system-x86_64 --version' 'vagrant --version' do echo "--- Command: $ c ---" eval "$ c " echo done echo '--- APT package versions ---' apt-show-versions qemu:amd64 linux-image-amd64:amd64 vagrant \ libvirt0:amd64 ) bzip2 > system-info.txt.bz2
Next, please follow the instructions below that match your situation! If the build failed Sorry about that. Please help us fix it by opening a ticket:
- set Category to Build system;
- paste the output of
system-info.txt.bz2(this will publish that file).
Compare your checksum with ours:
If the checksums match: success, congrats for reproducing Tails 3.2~alpha2! Please send an email to email@example.com (public) or firstname.lastname@example.org (private) with the subject "Reproduction of Tails 3.2~alpha2 successful" and
system-info.txt.bz2attached. Thanks in advance! Then you can stop reading here. Else, if the checksums differ: too bad, but really it's good news as the whole point of the exercise is precisely to identify such problems :) Now you are in a great position to help improve the reproducibility of Tails ISO images by following these instructions:
diffoscopeversion 83 or higher and all the packages it recommends. For example, if you're using Debian Stretch:
sudo apt remove diffoscope && \ echo 'deb http://ftp.debian.org/debian stretch-backports main' \ sudo tee /etc/apt/sources.list.d/stretch-backports.list && \ sudo apt update && \ sudo apt -o APT::Install-Recommends="true" \ install diffoscope/stretch-backports
- Download the official Tails 3.2~alpha2 ISO image.
- Compare the official Tails 3.2~alpha2 ISO image with yours:
diffoscope \ --text diffoscope.txt \ --html diffoscope.html \ --max-report-size 262144000 \ --max-diff-block-lines 10000 \ --max-diff-input-lines 10000000 \ path/to/official/tails-amd64-3.2~alpha2.iso \ path/to/your/own/tails-amd64-3.2~alpha2.iso bzip2 diffoscope. txt,html
- Send an email to email@example.com (public) or firstname.lastname@example.org
(private) with the subject "Reproduction of Tails 3.2~alpha2
- the smallest file among
diffoscope.html.bz2, except if they are larger than 100 KiB, in which case better upload the file somewhere (e.g. share.riseup.net and share the link in your email.