On Sun, Jul 17, 2016 at 9:38 AM, David Bruant <bruan...@gmail.com> wrote:
> > The second point sort of solves them both. As part of making things > verifiable, Mozilla could publish a program that makes byte by byte > comparison only on files that matters after unzip. If they're not that > important, .chk files could be ignored (blacklisted from the comparison). > Same for file timestamps. > That would be acceptable IMHO since a backdoor cannot be hidden in .chk > files or file timestamps (right?). > It's not unreasonable, but I'd be a wary of having to have an asterisk with caveats explaining that you should trust us that the non-reproducible bits don't actually matter. Reproducability shouldn't depend on having to do a code audit to understand impact of excluded things. That said, my understanding of .CHK files is that they're just library checksums required for FIPS140 certification (iirc intended to guard against accidentally corrupted code emitting broken crypto). I think we generally no longer care about FIPS certification of Firefox, and so should consider just nuking this stuff in Firefox. We've certainly talked about doing this before, because it's caused pain in other cases. (Judging from 1181814 NSS itself still cares about this for use in other products.) Justin _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
