Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No release on GitHub #13

Open
ideologysec opened this issue Jul 23, 2024 · 2 comments
Open

No release on GitHub #13

ideologysec opened this issue Jul 23, 2024 · 2 comments

Comments

@ideologysec
Copy link

ideologysec commented Jul 23, 2024

The handbook states that a release can be downloaded from the reproducible build server, or from the official GitHub, which this is.

https://robur-coop.github.io/miragevpn-handbook/qubes_miragevpn.html

There do not appear to be binary releases pushed on GitHub - is this intentional and a typo in the handbook?

Additionally, the sha256 on github (https://github.com/robur-coop/qubes-miragevpn/blob/main/qubes-miragevpn.sha256) does not match the most recent downloaded version from the build server. Where is the appropriate sha256 published for checking?

@reynir
Copy link
Contributor

reynir commented Jul 23, 2024

There seems to be artifacts published on each action, e.g. this latest one: https://github.com/robur-coop/qubes-miragevpn/actions/runs/10033371815
We should maybe publish them as releases. Maybe @dinosaure has an opinion on this. In either case we should probably make it more clear in the handbook where to find the binary releases from GitHub.

About what sha256 checksum to check against is a good question. The builds on builds.robur.coop use the latest system packages and opam (OCaml package manager) packages. Furthermore, we are building of different platforms: FreeBSD 14 and now debian 11 and debian 12 too. It is expected that different platforms will not reproduce the same binary. Updates in dependencies or system packages can also break reproducibility. However, enough information should be recorded that you should be able to reproduce the build (using orb). I was hoping the debian 12 build would reproduce the GitHub action / docker build, but unfortunately not.

The docker build (see the Dockerfile) pins the debian repository to a fixed snapshot. It also uses a fixed snapshot of the opam repository (the OCaml packages). Thus the builds are more stable and should consistently reproduce the same build.

So most likely you are interested in the GitHub build as it is most reproducible. On the other hand the builds.robur.coop builds will have the latest versions of dependencies including the latest fixes (and latest bugs).

@ideologysec
Copy link
Author

It would be very useful to publish them as actual github releases. Building a Salt template to download and install the latest version a la Mirage Firewall is the thing that I am looking for or to do. Arbitrary strings in the GitHub Actions channel is maybe not the best way for that.

I am less interested in reproducibility (though I understand and agree with its importance), than I am installability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants