> Den 16/06/2015 kl. 23.50 skrev Holger Levsen <hol...@layer-acht.org>: > > "Reproducible builds enable anyone to reproduce bit by bit identical binary > packages from a given source, so that anyone can verify that a given binary > derived from the source it was said to be derived. " - right now you have to > *believe* someone that the binary really comes from said source. And you need > to *believe* the system building it wasn't compromised...
The build should be immune to the time of the build, of course. That's fairly easy (e.g. use 'ar -D' consistently and leave DEBUG_FLAGS empty). But what about the user who started the build? This leaks to at least sendmail config files. Being agnostic to the path to the src root (e.g. /usr/src or /home/erik/freebsd/HEAD/src) requires rewriting the compiler __FILE__ macro to insert a relative path, and make debuggers understand relative paths. This is hard. The FreeBSD subversion revision is also leaked several places. I think reproduce builds are a noble goal and would enable all sorts of smart analysis, e.g. which binaries are affected by a certain commit. Just remember to define the requirements that need to be satisfied to get reproduce builds. Erik _______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
