Hi all, Deterministic software builds are helpful for spotting and preventing malicious modifications such as inserting back-doors.
At the moment, grub builds are mostly deterministic. However, grub-mkimage does not deterministically build EFI binaries. This is because the PE/COFF headers include timestamps. This is a widespread problem in the Windows world -- see for example a discussion of deterministically building TrueCrypt. [1] One solution would be to: * build deterministically by default by using a constant timestamp, and * add a --with-timestamps option (disabled by default), which would enable honest timestamps. What do you think? Are you accepting patches? Cheers, Andrew [1] https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/ _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
