Hi, On Mon, Jun 6, 2022 at 6:50 PM Vagrant Cascadian <vagr...@reproducible-builds.org> wrote: > > So, Debian's maradns package just removes this embedding of a "random" > number, and I've basically adapted their patches to build reproducibly > on guix too... by basically embedding the same "random" number every > single build!
There may be more than one opinion, but as the maintainer of a TLS library in Debian I think it is a questionable tradeoff. At a minimum, it would be preferable to use the version number instead of a fixed constant for all releases. MaraDNS does not support DNSSEC so the program may not use entropy for keys. Either way, I'd rather use an unreproducible build than, accidentally, a known number series to encrypt secrets. Can one patch out the constant entirely so it is no longer available? The upstream website says: "People like MaraDNS because it’s ... remarkably secure." [1] Since many distributions have the same issue, upstream could perhaps offer the patch as a build switch to enable a build-time seed only when needed. Thank you for your hard work on Guix! As a newbie I'll say, what a great distro. Thanks, everyone! Kind regards, Felix Lechner [1] https://maradns.samiam.org/
