nick at teh.entar.net
Sun Sep 8 10:50:28 PDT 2013
Seth David Schoen:
> Greg KH writes:
> > Gentoo's build system is "deterministic"? In what manner?
> I think Debian has acknowledged that they have a real security risk here
> and they're working on fixing it. My understanding is that today they
> still allow _individual package maintainers_ to ship (signed) binaries
> directly to users based on the developer's claim that they built a
> particular binary from particular source code. (Note that the developer
> might claim in good faith that they did so, but their laptop might be
> compromised!) But I think Debian is moving quickly to change this.
I'd like to point out that Ubuntu forbids binary uploads, and maintains
a pool of build machines to ensure that mass-rebuilds of all packages
are possible (such as when the build toolchain is updated).
I think when Greg and I both read the word "deterministic", we imagined
some kind of system whereby given the same source tarball and build
toolchain and architecture, he and I could get binaries with identical
sha256sums on our two completely unconnected computers.
Such a system is a very good idea for verifying binaries, but build
systems are messy and like to do things like embed build timestamps and
build hosts in them (Linux kernel I am looking in your direction...)
Man, I love how everyone is like "In my blog, which is
a blog on the Internet, which you all may be interested
in visiting, I talked about what I am now saying here."
-- George Moffitt
More information about the linux-elitists