What Is Gitian Building? How Bitcoin’s Security Processes Became a Model for the Open Source Community
One of Bitcoin's most important security features, a crucial property that makes the system trustless, is its open source nature. Because Bitcoin’s code is open source, anyone able to read code can check for themselves whether it does what it's supposed to do.
Plus, as per Linus's Law: Given enough eyeballs, all bugs are shallow.
But open source code doesn't necessarily eliminate all risk. Users still need to trust that the software they run on their computers actually reflects the open source code as it should. To eliminate this risk, Bitcoin developers have developed a fierce security policy which goes beyond the open source nature of Bitcoin itself: “Gitian Building.”
Gitian Building is even increasingly embraced by the wider open source community. Development teams behind Tor, Debian, Mozilla and other open source projects are embracing the practice spearheaded by the Bitcoin Core development team, and it might very well become an open source standard before long.
Here's why Gitian Building is important, and how it works.
On Source Code and Binaries
The problem that Gitian Building solves, at its heart, is that humans and computers do not speak the same language.
Bitcoin Core is written in C++, one of several programming languages. Programming languages – while obviously very different from actual languages – can be written and read by humans. And it's this C++ code that's open source, and therefore checkable and verifiable.
But computer CPUs cannot actually read these programming languages. Instead, CPUs have their own “machine language”: binaries. Binaries, as the name suggests, are often represented as “ones” and “zeros.” But more important: binaries are not readable by humans.
For a program written in human readable code (such as C++) to be executed on a computer, it must be “translated” into binaries. This “translation” process is called “compiling,” and is done using special software: a compiler. Someone, somewhere needs to compile code into binaries.
If it weren't for Gitian Building, the compiling process would present a potential single point of failure.
So what, exactly, the risk if there is no Gitian Building process?
Let's say that Wladimir van der Laan, Bitcoin Core's lead developer, is tasked with compiling Bitcoin Core's code into binaries. This would mean he’d have to insert C++ code in the compiler installed on his computer, and the Bitcoin Core binaries come out on the other end. He then distributes these binaries through bitcoin.org, bitcoincore.org and perhaps other platforms.
The problem is obvious. While anyone able to read C++ can check and verify Bitcoin Core's open source code, they still need to trust that the binaries as published by Van der Laan reflect this same code.
But if, for example, Van der Laan’s computer is compromised, his compiler could be replaced with software that creates malicious binaries instead ‒ perhaps binaries that look like Bitcoin Core when running on a computer, but that actually steal bitcoins. Or, Van der Laan might be coerced by someone with nefarious intentions, and is forced to publish malicious binaries. Or perhaps Van der Laan will one day go crazy and intentionally spread malware himself.
It's unlikely anyone would realize any of this until it's too late; while the code is open source, no one can actually read the binaries.
The easy way to solve this problem would be to have several developers all build binaries from the same code and cross check these binaries against each other. If their binaries are identical, they know the binaries are accurate, and none of them would be compromised. Plus, anyone else could compile the binaries, too, and check whether the developers are still acting honestly. This type of cross checking would eliminate a single point of failure.
Unfortunately, it's not that simple. Binary building is a very unpredictable process, involving many variables. If different developers for instance use different compilers, different operating systems, or even compile the binaries at different times, the binaries might look very different. This makes simple cross checking useless.
Gitian is an open source software program that offers what is known as a “build environment.” A build environment is perhaps best described as a “computer within a computer,” but with a specific purpose: a virtual space to compile binaries, completely free of any variables. “Gitian Building,” the process of compiling binaries in Gitian, ensures that whatever computer is used, the binaries turn out exactly the same.
This, in turn, enables different developers to reliably cross check their binaries against each other. And, of course, it allows anyone else to verify whether the binaries match the source code as well.
For a more in-depth explanation of Gitian Building, see this CCC-talk by The Tor Project's Mike Perry and Electronic Frontier Foundation's Seth Schoen:
Thanks to Bitcoin Core developer BtcDrak.