> | outcome on two different build hosts, unless the actual build > | environment is the same to the detail.
The goal of Reproducible Builds is to increase our confidence that no malware was injected into the artifact during the build process. To achieve this, we build from source on different machines and check whether the result is the same. There is a tension between 2 concerns here: on the one hand, you want those machines to be as diverse as possible: the larger the difference between the machines, the higher your confidence in the absence of foul play (since an attacker would have to find a way to impact all those variations in machines). On the other hand, of course it is unreasonable to expect the same results on machines that are too wildly different. Which differences a build procedure should be resistant against to be considered 'reproducible' is not always clear-cut. I understand this can be frustrating when apparently previously the Debian rebuilders didn't exercise a certain difference while now they do. On the other hand, just the fact that this was constant before doesn't immediately mean this is a defect in the rebuilding infrastructure, either. So the question is whether it is reasonable to require all builders to have identical MAKEFLAGS. There are definitely things in the MAKEFLAGS that I wouldn't expect to influence the resulting artefact, such as the build parallelism. On the other hand, of course it is entirely reasonable for application-level configuration flags to change the output, and making those appear in the output of something like "mailx -v -Xversion -Xx" sounds legitimate to me as well. Would there be any way keep only the 'application-level' options from the MAKEFLAGS but leave the 'build-level' options out? (you mention 'test1/ and test2/ or so', but I'm not sure what exactly what's going on there). Kind regards, Arnout _______________________________________________ Reproducible-builds mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/reproducible-builds
