4

When i compile source code to get a working safe Tor package, what i produced have different hash from official Tor binary in download section... is this a compiler problem or that's normal compilers add random data and we can't check Tor official binaries are safe or backdoored? this problem is only for C code compilers or same problem exists for java (orbot) and there is no way to verify compiled binaries by source code?

Why is it common to get a different binary from compiling the same source code? Can somebody please explain how reproducible builds are achieved and why the same isn't possible with Java?

Roya
  • 3,240
  • 3
  • 19
  • 40
iTor
  • 41
  • 1

1 Answers1

3

This is normal for the Tor 0.2.3 series.

If however you are trying to compile 0.2.4 or later, then the desired result is that it would be identical, and thus produce the same hash. As this feature is still under development however it's possible it's a (known or unknown) bug. To attempt this, follow the README in the build scripts. This would handle the case of the official binaries being backdoored.

For the second part of your question, about whether Java implementations have the same unverifiable build problem, the same problem exists. Various Java compilers will compile the source into Java Virtual Machine code differently with different optimisations. As far as I'm aware there is no effort to get Reproducible Builds for Orbot. The situation is (slightly) different however here as then you are also relying on the JVM program that interprets the compiled bytecode into appropriate instructions for your machine, which adds another layer of verification needed, depending on how concerned you are about the backdooring of software.

Megan Walker
  • 2,640
  • 1
  • 22
  • 30