dmarti at zgp.org
Sun Sep 8 11:21:02 PDT 2013
begin Teh Entar-Nick quotation of Sun, Sep 08, 2013 at 05:50:28PM +0000:
> Seth David Schoen:
> > Greg KH writes:
> > > Gentoo's build system is "deterministic"? In what manner?
> > I think Debian has acknowledged that they have a real security risk here
> > and they're working on fixing it. My understanding is that today they
> > still allow _individual package maintainers_ to ship (signed) binaries
> > directly to users based on the developer's claim that they built a
> > particular binary from particular source code. (Note that the developer
> > might claim in good faith that they did so, but their laptop might be
> > compromised!) But I think Debian is moving quickly to change this.
> I'd like to point out that Ubuntu forbids binary uploads, and maintains
> a pool of build machines to ensure that mass-rebuilds of all packages
> are possible (such as when the build toolchain is updated).
> I think when Greg and I both read the word "deterministic", we imagined
> some kind of system whereby given the same source tarball and build
> toolchain and architecture, he and I could get binaries with identical
> sha256sums on our two completely unconnected computers.
> Such a system is a very good idea for verifying binaries, but build
> systems are messy and like to do things like embed build timestamps and
> build hosts in them (Linux kernel I am looking in your direction...)
So people are doing builds with faketime...
...which is either a really great idea or has
something terrible and obvious wrong with it that
I'm not picking up on yet.
Don Marti +1-510-332-1587 (mobile)
http://zgp.org/~dmarti/ Alameda, California, USA
dmarti at zgp.org
More information about the linux-elitists