Muhammad Hassan wrote: > Do you feel there is potential for detecting build unreproducibility > statically (without executing adversarial rebuilds)?
Yes, there are a number of potentially troublesome strings listed in https://github.com/bmwiedemann/reproducibleopensuse/blob/master/howtodebug#L31 If one of these gets added, it may be harmless, but would warrant a rebuild test or closer inspection of the source. On 24/08/2022 19.37, Chris Lamb wrote: > Other avenues requiring a single build would include all the instrumention > approach (eg. strace/systemtap, etc.) taken by a few projects. I think > Bernhard might be able to speak better on this, and there are some > academic projects in this area as well. My strace approach uses https://github.com/bmwiedemann/reproducibleopensuse/blob/master/stracebuild to trigger https://github.com/bmwiedemann/reproducible-faketools/blob/master/bin/rpmbuild-strace I use that to find where unreproducible files come from with https://github.com/bmwiedemann/reproducibleopensuse/blob/master/autoprovenance It seems, strace cannot see time syscalls - maybe because those do not reach the kernel via the linux-vdso.so.1 shortcut. It would be possible to see accesses to /dev/[u]random and readdir syscalls. I have also played a bit with ptrace-based https://github.com/dettrace/dettrace but it needed regular updates as Linux keeps introducing new syscalls. Ciao Bernhard M.
OpenPGP_signature
Description: OpenPGP digital signature