Skip to content

Distributed build system providing cryptographic proofs-of-reproducibility via Byzantine Fault Tolerant (BFT) consensus

License

Notifications You must be signed in to change notification settings

iqlusioninc/synchronicity

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Synchronicity iqlusion

Build Status Safety Dance MSRV Apache 2.0 Licensed Gitter Chat

A connecting principle linked to the invisible.
Almost imperceptible. Something inexpressible.

—The Police, Synchronicity I

Distributed build system providing cryptographic proofs-of-reproducibility via Byzantine Fault Tolerant (BFT) consensus.

Documentation

About

Synchronicity is a distributed build system for Rust crates which have been published to crates.io. It builds crates reproducibly inside of Docker containers managed using Rustwide, the core library behind tools like Crater and docs.rs.

Goal

The goal of Synchronicity is to provide a distributed binary transparency (BT) system for Rust crates which is independent of any one central operator. BT systems checkpoint content hashes of binaries in an append-only log which, if nothing else, ensures that forensic evidence of all builds is logged in a fairly permanent way.

This is helpful in situations where it would be desirable to use pre-built binaries of crates, such as distributed build caches. In such a situation, a binary transparency system can ensure that the artifact one receives is the same as everyone else is receiving in a way that can't be easily altered by an attacker.

By using a system based on reproducible builds, Synchronicity is also able to provide high confidence that binary artifacts are faithful to their original source code using cryptographic proofs that are easy to obtain and verify (even by an offline party/process). This helps prevent a malicious builder from inserting trojans in the source code prior to performing a build (or at least, ideally makes it much more difficult).

Operational Details

Builders running Synchronicity also run a BFT consensus algorithm between each other (as part of a closed, "permissioned" group), and in doing so come to agreement on whether or not a build was successfully reproduced by a threshold of the group's members. Consensus is provided by Libra's HotStuff BFT.

Any builder can submit a build to be run by the rest of the group. The results of the build are then published as part of a commit-and-reveal scheme. After all builders have completed the build, or a timeout is reached, the builders reveal hashes identifying the build artifacts, and if a threshold of them match, evidence thereof is stored in an append-only Merkle log generated by the consensus group.

Once evidence of a successful build reproduction has been published in the log, clients interested in determining if they should trust a particular build can request cryptographic proof-of-inclusion that it has been successfully reproduced. So long as a threshold of the group does not collude to publish fraudulent reproducibility results, this cryptographic proof can be trusted as evidence that a build with a matching hash is reproducible from the original source code published on crates.io.

Cryptographic proofs of reproducibility are static artifacts that can be obtained once and included along with a build, ensuring privacy for verifiers who do not want to reveal to a central service which proofs they are verifying.

Verification can be performed offline by consumers of binary artifacts. Proofs can be passed as static strings/files (or potentially included into the binary artifacts themselves) and verified offline by the actual build workers.

Status

Synchronicity is a work-in-progress and at an early stage of development and is not ready to be used. Check back later!

Minimum Supported Rust Version

  • Rust 1.39+

Code of Conduct

We abide by the Contributor Covenant and ask that you do as well.

For more information, please see CODE_OF_CONDUCT.md.

License

Copyright © 2019 iqlusion

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be licensed as above, without any additional terms or conditions.

About

Distributed build system providing cryptographic proofs-of-reproducibility via Byzantine Fault Tolerant (BFT) consensus

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages