Confirm Tor Project tor.git package builds are reproducible
Our deb.torproject.org debs are now built on Gitlab (and possibly our RPMs too?). I believe the deb.torproject.org packages come from https://gitlab.torproject.org/tpo/core/debian/tor/-/pipelines, but @weasel will have to confirm. I am less sure where the RPMs come from. @kushal will have to let us know.
We should confirm that these packages are reproducible. If they are based on the Debian build system, I believe they should be. And tor.git itself might be reproducible by default. However, @weasel was not sure if this was the case, and @ahf and I were not either.
It would be a sad day if Gitlab 0day got someone the whole Tor network, and reproducible builds prevent this possibility, and also allow us to check this after-the-fact.
So I am creating this ticket to check reproducibility, and then fix any issues.
I think the best way forward is to export the gitlab runner script into a standard docker container and see if the sha256sums from https://deb.torproject.org/torproject.org/pool/main/t/tor/ match from the resulting debs from said docker container, or even just a build on a random debian machine. But there may be other ways. I know @jnewsome is good at spinning up ephemeral runners, so that could be another route too, but that does not fully eliminate Gitlab from the picture.
If the test build's sha256sums do not match against the ones in https://deb.torproject.org/torproject.org/pool/main/t/tor/, we may want to use @boklm's RBM tool in our gitlab tor.git build runners, to make it reproducible. (RBM is what Tor Browser now uses, to produce reproducible Tor Browser releases.)