On 18/06/2024 16.59, John Gilmore wrote:
Anytime we find programs using uninitialized memory, we should debug them, not change the build environment to make them seem OK.
Yes, these are bugs and they should be fixed (unless it is the only source of entropy in openssl [1]).
However, there is an infinite number of sources [2] and I cannot debug+fix all of them. Meanwhile, I can disable ASLR in our build environment (because nobody needs it there anyway) and be able to verify that produced binaries correspond to the sources. That is (the) one goal of reproducible-builds and this mitigation gets me closer to it.
Ciao Bernhard M. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 [2] citation needed
OpenPGP_signature.asc
Description: OpenPGP digital signature
