Jump to content

Reproducible Builds and compiling scripts without random tokenisation


TheDcoder
 Share

Recommended Posts

Hello Everyone :)

Been a while since I had any useful ideas for AutoIt. Today I was thinking about having an option to compile a script without any obfuscation or tokenisation, or atleast, an option to specify the seed for the randomness in the tokenisation process to produce identical executables every-time.

This would be very useful for Open Source software where anyone can compile to source to produce a bit to bit copy of the compiled version by the developer. Currently there is no legal way to verify if a build has been built from a specific source, with this option it will be easy as compiling the code and comparing the builds :D

Something like #pragma compile(Tokenise, false), we can set the proposed Tokenise directive to true as default to maintain backward compatibility and to somewhat protect closed source software.

What do you guys think about this?

TD :thumbsup:

Edited by TheDcoder
"form" to "from"

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites

  • 5 months later...

You shouldn't have needed to bump. But clearly you did have to. :(

I am surprised you got no response, as I consider your request as quite worthwhile, going by our recent discussions.

Perhaps you should outlay your current situation, to make things perfectly clear to the powers-that-be, why this is needed.

Edited by TheSaint

Make sure brain is in gear before opening mouth!
Remember, what is not said, can be just as important as what is said.

Spoiler

What is the Secret Key? Life is like a Donut

If I put effort into communication, I expect you to read properly & fully, or just not comment.
Ignoring those who try to divert conversation with irrelevancies.
If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it.
I'm only big and bad, to those who have an over-active imagination.

I may have the Artistic Liesense ;) to disagree with you. TheSaint's Toolbox (be advised many downloads are not working due to ISP screwup with my storage)

userbar.png

Link to comment
Share on other sites

36 minutes ago, TheSaint said:

Perhaps you should outlay your current situation, to make things perfectly clear to the powers-that-be, why this is needed.

I agree.

A practical example and the reason why I am looking forward to this feature is because I develop a program called ProxAllium, it is a frontend for Tor which is a security related software, I won't go into much detail, but I will say that users of Tor and the Tor project take security/trustworthiness somewhat more seriously than normal people. In order for a software to be accepted by the community, the binaries should ideally be reproducible, so that they can verify that it has indeed been compiled from the public source code. Unfortunately it is impossible to do this in AutoIt as tokenization adds a random factor to the compile process :(

That is only one of the many advantages of reproducible builds, more incentives and advantages can be found here: https://reproducible-builds.org/

Also, the wikipedia entry on this topic: https://en.wikipedia.org/wiki/Deterministic_compilation

 

It is a valuable technique which open source software can take advantage of :)

Edited by TheDcoder

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites

Good stuff @Mobius, I recall checking out AutoCamo a few years ago, but never downloaded it and had a proper look... until now that is, I see that you have discontinued it (which is sad), but we can salvage something from your project. Can you give us a brief explanation how you made it possible to have a custom seed?

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites

20 hours ago, TheDcoder said:

Good stuff @Mobius, I recall checking out AutoCamo a few years ago, but never downloaded it and had a proper look... until now that is, I see that you have discontinued it (which is sad), but we can salvage something from your project. Can you give us a brief explanation how you made it possible to have a custom seed?

That's ok @TheDcoder It's a fairly old tool (much like its creator) and not to everyone's taste (also like its creator ;) ) , what it does is fairly moot these days.

Unfortunately the token seeding process involved physically modifying the machinations of the builder and the interpreter on the fly to allow for this procedure to work, It could be built into the builder by the developer of course but I'm guessing there are numerous good reasons for him not doing so.

Edited by Mobius
Busted wink

wtfpl-badge-1.png

Link to comment
Share on other sites

2 hours ago, Mobius said:

That's ok @TheDcoder It's a fairly old tool (much like its creator) and not to everyone's taste (also like its creator ;)) , what it does is fairly moot these days.

:lol:

2 hours ago, Mobius said:

Unfortunately the token seeding process involved physically modifying the machinations of the builder and the interpreter on the fly to allow for this procedure to work

I see, quite advanced stuff then. I was kind of hoping there was an easier way.

 

Maybe I should open a ticket about this and see what the Devs think?

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites

24 minutes ago, TheDcoder said:

Maybe I should open a ticket about this and see what the Devs think?

Not to be cruel (rare) but given the lack of attention this thread generated i doubt it would be high on the todo list if at all. You are of course free to ask.

wtfpl-badge-1.png

Link to comment
Share on other sites

13 minutes ago, Mobius said:

Not to be cruel (rare)

No worries, didn't take offense :)

13 minutes ago, Mobius said:

given the lack of attention this thread generated i doubt it would be high on the todo list if at all. You are of course free to ask.

I think the same, but you can always try and see, would be nice if they implement it :)

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites

well, now I am reading all about Reproducible Builds, and, thanks, this is great stuff. Let me learn and get back here in time. Basically, I do this stuff, but I have found some great nuggets of wisdom here: https://reproducible-builds.org/docs/

i always snapshot every build, we can trace everything, but still much I need learn. I even have zipped archives of builds they use to debug with when problems come up, has all the pdbs and whatnot.

Edited by Earthshine

My resources are limited. You must ask the right questions

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...