[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Deterministic builds

Hi Steven,

Steven Chamberlain:
> For our kernels and maybe more, perhaps it would be beneficial to make
> sure builds are deterministic, or at least, try to produce identical
> output on every build from the same source.
> The security rationale is that the build system can be audited this way,
> by someone else running a build on their own hardware, and the binaries
> (gzipped kernel image and modules) should match exactly.
> But this might also be convenient to show precisely the effects of
> applying a security patch - to verify it has really been effective.  (A
> mistake like this was made in a security patch from upstream[0],
> although I noticed it in the source when applying).

Nice spotting, I never had thought of that...

> Some differences I've seen between kfreebsd-9 builds are:
> * the gzipped kernel image contains a timestamp (can be avoided with the
> gzip -n flag)

Please go ahead ;-)

> * osrelease/osreldate/print_version/uname - would it be acceptable to
> take the timestamp from debian/changelog, instead of recording the exact
> time the build was run?

Upstream does something similar with svn version number. I suggest you
look at newvers.sh, perhaps it can be expanded to support other variables.

Robert Millan

Reply to: