Build logs
redshiftzero edited this page Nov 20, 2019
·
2 revisions
- The goal with these build logs is to have a clear record of what happened during the build process for the purpose of retrospectives. This can help us determine if mistakes are made during the build (since some of the process is manual) and for incident response.
- Does not protect against a malicious insider
- Does not protect against compromised pip dependencies, that is done via hashes in the requirements file
- Does not protect against compromised build machine
Builders should save their terminal output starting with:
- Checking out the build tag (and verifying it if it is signed with the airgap key)
-
make build-debsoutput - the SHA256 sum of the built debs
- for a production build: cat the Release file and Release.gpg
Finally, they should sign the entire document and place into the wiki with a link in the section below.
- Stored in: https://github.com/freedomofpress/build-logs