raistlin at majere.net
Sat Sep 7 09:09:38 PDT 2013
And do you think all of those Gentoo users are doing code reviews of all
of the source code they compile to ensure there are no back doors in the
On 09/07/2013 12:03 PM, Seth David Schoen wrote:
> Greg KH writes:
>>> That it's the Gentoo nerds who should be
>>> busting out in the mocking elitist dance, at least
>>> until the other distributions get deterministic
>>> builds going?
>> Gentoo's build system is "deterministic"? In what manner?
>> How is Debian's and openSUSE's and Fedora's somehow different from
> I presume Don means that many Gentoo users are building most of their
> binaries from scratch, while users of other distributions are accepting
> binaries that their distributors compiled (and currently those
> distributors don't have a simple way to prove that the binaries
> correspond to the sources).
> I think Debian has acknowledged that they have a real security risk here
> and they're working on fixing it. My understanding is that today they
> still allow _individual package maintainers_ to ship (signed) binaries
> directly to users based on the developer's claim that they built a
> particular binary from particular source code. (Note that the developer
> might claim in good faith that they did so, but their laptop might be
> compromised!) But I think Debian is moving quickly to change this.
> Perhaps Gentoo's design implies trusting fewer people or devices in this
> respect right now.
More information about the linux-elitists