[linux-elitists] Surveillance

Seth David Schoen schoen at loyalty.org
Sat Sep 7 09:03:35 PDT 2013


Greg KH writes:

> > That it's the Gentoo nerds who should be
> > busting out in the mocking elitist dance, at least
> > until the other distributions get deterministic
> > builds going?
> 
> Gentoo's build system is "deterministic"?  In what manner?
> 
> How is Debian's and openSUSE's and Fedora's somehow different from
> Gentoo's?

I presume Don means that many Gentoo users are building most of their
binaries from scratch, while users of other distributions are accepting
binaries that their distributors compiled (and currently those
distributors don't have a simple way to prove that the binaries
correspond to the sources).

I think Debian has acknowledged that they have a real security risk here
and they're working on fixing it.  My understanding is that today they
still allow _individual package maintainers_ to ship (signed) binaries
directly to users based on the developer's claim that they built a
particular binary from particular source code.  (Note that the developer
might claim in good faith that they did so, but their laptop might be
compromised!)  But I think Debian is moving quickly to change this.

Perhaps Gentoo's design implies trusting fewer people or devices in this
respect right now.

-- 
Seth David Schoen <schoen at loyalty.org>      |  No haiku patents
     http://www.loyalty.org/~schoen/        |  means I've no incentive to
  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |        -- Don Marti


More information about the linux-elitists mailing list