Hi, Does that mean that parabola has some interest in reproducible builds? Is there some plans to tackle the problem?
As I understand it, unlike other distributions that have a single point of failure, that is, their build infrastructure, we do have to trust: -> Every single package maintainer from parabola -> Every single package maintainer from arch as we use most of their stock packages -> The machine and the software involved in the creation of the packages, including arch developers who probably run non-free software on their developer's machines. Since parabola suits really really very well, and that I value freedom over security, I still do use Parabola. Adapting to Trisquel was too painful for me. > -------------------- Start of forwarded message -------------------- [...] > > First Reproducible Builds Summit > ================================ > > https://guardianproject.info/2015/12/09/first-reproducible-builds-summit/ > > I was just in Athens for the β[Reproducible Builds > Summit](https://reproducible-builds.org/events/athens2015/)β, an > [Aspiration](https://aspirationtech.org/)-run meeting focused on the > issues of getting all software builds to be reproducible. This means > that anyone starting with the same source code can build the *exact* > same binary, bit-for-bit. At first glance, it sounds like this > horrible, arcane detail, which it is really. But it provides tons on > real benefits that can save lots of time. And in terms of > programming, it can actually be quite fun, like doing a puzzle or > sudoku, since there is a very clear point where you have βwonβ. > > Here are some examples of real benefits: [...] Well, there are even more benefits, if we get that into parabola, you can then debug parabola. Right now we have no debug symbols. That would not be a problem anymore, as you would be able to generate them afterward. The user would just recompile the package with debug enabled to get such symbols. The sha512sum of this package binaries would still match. > Google, Was it because of chromeOS and chromebooks? I see a point in getting chromeOS boot firmware reproducible, that would make the point that you can have a secure and free software boot firmware. I'm not saying that their always is 100% free software. Usually they use coreboot with vendor blobs. [Arch Linux](https://www.archlinux.org/), What is its status? > [Coreboot](https://www.coreboot.org/), Here that's really interesting. It will also make it into next libreboot release. Let's imagine your laptop get modified during shipping and a modified coreboot/libreboot image is built and reflashed. Now with an external programmer you can detect that: Dumping the flash from the same laptop you want to verify may not give you the real content of the flash (the hardware makes it way to easy to give back a modified image). So Dumping the flash externally and building the same image makes it possible to check if there was any modification. > [Guix](https://www.gnu.org/software/guix/) package manager As I understand it's not as stable (bug free, usable) as Parabola yet. If Arch becomes reproducible, we definitely want to get reproducible too. That would permit us to check the arch packages, and to get debug symbols easily. Given that, in Parabola community, 100% free system are more commons, and that they can be verified as stated above, the benefit would be really great. Let's not have the dilemma of having to choose between: -> security and not-100% free distributions. -> Freedom and insecure distributions. Denis.
pgpiAU73b_CgZ.pgp
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev