phelix added the comment: Thank you all for your responses.
> Having read your link [2] above (at least briefly), it seems the aim is to > compare hashes of builds from multiple people to verify that nobody > maliciously modified the binaries. Exactly. Also it might protect the people actually doing the builds from extortion and accusations from backdoor victims (e.g. in case of hacked build system). > That isn't going to work for Windows because we cryptographically sign the > binaries. The only people who could produce bit-for-bit identical builds are > those trusted by the PSF, and not independent people. So if you don't trust > the PSF and implicitly the people trusted by the PSF, you can't actually do > anything besides building your own version and using that. Joseph tried just that but ran into issues. > However, the rest of the build is so automated that other personal variations > will not occur. As I mentioned above, I have exactly one batch file to build > the full span of releases for Windows, and I just run that. It's public and > in the repo, so anyone else can also run it, they just won't get bit-for-bit > identical builds because of timestamps, embedded paths, and certificates. Timestamps and paths should be handled by the Gitian secure build system (cross compile). >From my point this issue can be closed as my questions are answered. We will >take another look at building reproducibly. If we run into problems I will >create another issue here in the hope you can help again. :) ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue25255> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
