Deterministic builds
Hi,
For our kernels and maybe more, perhaps it would be beneficial to make
sure builds are deterministic, or at least, try to produce identical
output on every build from the same source.
The security rationale is that the build system can be audited this way,
by someone else running a build on their own hardware, and the binaries
(gzipped kernel image and modules) should match exactly.
But this might also be convenient to show precisely the effects of
applying a security patch - to verify it has really been effective. (A
mistake like this was made in a security patch from upstream[0],
although I noticed it in the source when applying).
It might make it easy to see when toolchain changes have effects too,
once all other noise is removed.
Some differences I've seen between kfreebsd-9 builds are:
* the gzipped kernel image contains a timestamp (can be avoided with the
gzip -n flag)
* osrelease/osreldate/print_version/uname - would it be acceptable to
take the timestamp from debian/changelog, instead of recording the exact
time the build was run?
[0]:
http://lists.freebsd.org/pipermail/freebsd-security/2012-June/006346.html
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: