Hi there.

Pardon the de-lurk, but I have a few thoughts on the topic that might help.
I use mosh on os x and linux. I also happen to use homebrew.

As you've already pointed out, a proper package manager makes a lot of this
much easier. There are a couple ways to get closer to this on a mac.

First, a stupid linux trick. In the past, on debian based distros when I
have needed to replicate an environment that was lacking in automation for
builds, I've fallen back to
dpkg --get-selections > packages.txt
scp packages.txt host:/tmp
dpkg --set-selections < /tmp/packages.txt
apt-get dselect-upgrade

Ok, so at that point I can be confident that system B is similar enough to
system A to start working on whatever the issue is. The only problems that
have cropped up are where deps are so old they've rsynced off the public
mirrors, or in unversioned crap in /usr/local. You can do it with rpm too,
it's just spelled differently.

A way to replicate that technique on a mac could be as simple as:
Track the os version 10.x
Track the xcode version.
Track the homebrew version.

Homebrew has some options here.
brew list > packages.txt
scp packages.txt hostb:packages.txt
brew install $(cat packages.txt)

Where this kind of falls on its face, is that homebrew more or less just
chases the tip of a branch (stable) and updates are rolling.

But, it's all in git. If you were to go to /usr/local/Homebrew (the new
home), you could figure out what sha you were using for the current build
by running
✔ /usr/local/Homebrew [stable L|✔]
13:24 $ git rev-parse HEAD
8a7317aa8ff5f12067eb65e529a13490bc69deda (example sha to save somewhere)


They also have tags. And other branches. Point being, you could pin to a
version/branch or whatever. It's just an exercise in juggling the metadata
when building and capturing it somewhere. At that point you're much much
closer to being able to stand up a brand new fresh os x box and install
known versions of packages and known configurations of homebrew without
inventing nearly as much of this solo. And lets face it... Idiosyncrasies
with third party libs are a drag. At least engage a large community to
share/shake out wrinkles. At a high level it's just 4 sets of facts.

Re-lurking.

Quoting john hood (2016-11-02 18:45:17)
That probably doesn't really help - just because you can't have a 'perfect' build environment doesn't mean that the world is a better place if you have none :-)

Transparency is the first part: whatever your build method is, make sure it is described so that potential users can make up their own minds about the risks.

Then add as much accountability as possible, in terms of build logs and any artefacts like that, in case someone else can spot a problem that you didn't see on a particular given run. That is also helpful in terms of build quality itself, not just the security issues.

As long as there is a viable path for an end-user to take from the source to a binary without trusting anything else from you, that's great. Some products (e.g. TrueCrypt) were exceptionally difficult to build, which was a problem.

A repeatable build environment with a transparent trusted process? Probably not going to happen in the OS X world very easily, so just take steps to get closer :-)


--
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ ***@otago.ac.nz ☏ +64 3 470 4670 ☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605