[linux-elitists] Surveillance

Teh Entar-Nick nick at teh.entar.net
Sun Sep 8 10:50:28 PDT 2013


Seth David Schoen:
> Greg KH writes:
> > Gentoo's build system is "deterministic"?  In what manner?
[...]
> I think Debian has acknowledged that they have a real security risk here
> and they're working on fixing it.  My understanding is that today they
> still allow _individual package maintainers_ to ship (signed) binaries
> directly to users based on the developer's claim that they built a
> particular binary from particular source code.  (Note that the developer
> might claim in good faith that they did so, but their laptop might be
> compromised!)  But I think Debian is moving quickly to change this.

I'd like to point out that Ubuntu forbids binary uploads, and maintains
a pool of build machines to ensure that mass-rebuilds of all packages
are possible (such as when the build toolchain is updated).  

I think when Greg and I both read the word "deterministic", we imagined
some kind of system whereby given the same source tarball and build
toolchain and architecture, he and I could get binaries with identical
sha256sums on our two completely unconnected computers.  

Such a system is a very good idea for verifying binaries, but build
systems are messy and like to do things like embed build timestamps and
build hosts in them (Linux kernel I am looking in your direction...)

-- 
Man, I love how everyone is like "In my blog, which is
a blog on the Internet, which you all may be interested
in visiting, I talked about what I am now saying here."
                            -- George Moffitt


More information about the linux-elitists mailing list