[linux-elitists] Surveillance

Greg KH greg at kroah.com
Sat Sep 7 09:37:42 PDT 2013


On Sat, Sep 07, 2013 at 09:03:35AM -0700, Seth David Schoen wrote:
> Greg KH writes:
> 
> > > That it's the Gentoo nerds who should be
> > > busting out in the mocking elitist dance, at least
> > > until the other distributions get deterministic
> > > builds going?
> > 
> > Gentoo's build system is "deterministic"?  In what manner?
> > 
> > How is Debian's and openSUSE's and Fedora's somehow different from
> > Gentoo's?
> 
> I presume Don means that many Gentoo users are building most of their
> binaries from scratch, while users of other distributions are accepting
> binaries that their distributors compiled (and currently those
> distributors don't have a simple way to prove that the binaries
> correspond to the sources).

"other" distributions?  openSUSE/SLES/Fedora/RHEL has a "simple" way to
prove this, just take the source rpm and rebuild it yourself and check
that it stays the same, modulo any date/time stamps.  Yes, lots of
programs do have those in them, but that can be fixed pretty easily if
the developers want to.

Heck, make a local instance of OBS, and use it to rebuild your whole
distro, it can build anything but Gentoo packages these days.

Speaking of Gentoo, lots of companies use that instead of the
"enterprise" distros, rolling their own packages and distributing system
images, or binary packages, to their own systems, signed with their own
keys.

> Perhaps Gentoo's design implies trusting fewer people or devices in this
> respect right now.

Gentoo's current design trusts way _more_ people, given that a large
number have access to the whole portage tree, and can check anything in,
anywhere.

I'm still confused about Don's original point here, what exactly is it?

greg k-h


More information about the linux-elitists mailing list