Deterministic builds

To: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Deterministic builds
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Wed, 18 Sep 2013 21:09:29 +0100
Message-id: <[🔎] 523A0879.4020607@pyro.eu.org>

Hi,

For our kernels and maybe more, perhaps it would be beneficial to make
sure builds are deterministic, or at least, try to produce identical
output on every build from the same source.

The security rationale is that the build system can be audited this way,
by someone else running a build on their own hardware, and the binaries
(gzipped kernel image and modules) should match exactly.

But this might also be convenient to show precisely the effects of
applying a security patch - to verify it has really been effective.  (A
mistake like this was made in a security patch from upstream[0],
although I noticed it in the source when applying).

It might make it easy to see when toolchain changes have effects too,
once all other noise is removed.

Some differences I've seen between kfreebsd-9 builds are:

* the gzipped kernel image contains a timestamp (can be avoided with the
gzip -n flag)

* osrelease/osreldate/print_version/uname - would it be acceptable to
take the timestamp from debian/changelog, instead of recording the exact
time the build was run?

[0]:
http://lists.freebsd.org/pipermail/freebsd-security/2012-June/006346.html

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Reply to:

Follow-Ups:
- Re: Deterministic builds
  - From: Robert Millan <rmh@debian.org>

Prev by Date: Re: re-enabling -O2 in kfreebsd-10 / clang?
Next by Date: Re: Deterministic builds
Previous by thread: Bug#723382: kfreebsd-kernel-headers link with -L/usr/lib
Next by thread: Re: Deterministic builds
Index(es):
- Date
- Thread