[linux-elitists] Surveillance

Don Marti dmarti at zgp.org
Sun Sep 8 11:21:02 PDT 2013


begin Teh Entar-Nick quotation of Sun, Sep 08, 2013 at 05:50:28PM +0000:
> Seth David Schoen:
> > Greg KH writes:
> > > Gentoo's build system is "deterministic"?  In what manner?
> [...]
> > I think Debian has acknowledged that they have a real security risk here
> > and they're working on fixing it.  My understanding is that today they
> > still allow _individual package maintainers_ to ship (signed) binaries
> > directly to users based on the developer's claim that they built a
> > particular binary from particular source code.  (Note that the developer
> > might claim in good faith that they did so, but their laptop might be
> > compromised!)  But I think Debian is moving quickly to change this.
> 
> I'd like to point out that Ubuntu forbids binary uploads, and maintains
> a pool of build machines to ensure that mass-rebuilds of all packages
> are possible (such as when the build toolchain is updated).  
> 
> I think when Greg and I both read the word "deterministic", we imagined
> some kind of system whereby given the same source tarball and build
> toolchain and architecture, he and I could get binaries with identical
> sha256sums on our two completely unconnected computers.  
> 
> Such a system is a very good idea for verifying binaries, but build
> systems are messy and like to do things like embed build timestamps and
> build hosts in them (Linux kernel I am looking in your direction...)

So people are doing builds with faketime...

  https://wiki.debian.org/ReproducibleBuilds

  http://www.code-wizards.com/projects/libfaketime/

...which is either a really great idea or has
something terrible and obvious wrong with it that
I'm not picking up on yet.

-- 
Don Marti                      +1-510-332-1587 (mobile)
http://zgp.org/~dmarti/        Alameda, California, USA
dmarti at zgp.org


More information about the linux-elitists mailing list