Re: Deterministic builds
Hi Steven,
Steven Chamberlain:
> For our kernels and maybe more, perhaps it would be beneficial to make
> sure builds are deterministic, or at least, try to produce identical
> output on every build from the same source.
>
> The security rationale is that the build system can be audited this way,
> by someone else running a build on their own hardware, and the binaries
> (gzipped kernel image and modules) should match exactly.
>
> But this might also be convenient to show precisely the effects of
> applying a security patch - to verify it has really been effective. (A
> mistake like this was made in a security patch from upstream[0],
> although I noticed it in the source when applying).
Nice spotting, I never had thought of that...
> Some differences I've seen between kfreebsd-9 builds are:
>
> * the gzipped kernel image contains a timestamp (can be avoided with the
> gzip -n flag)
Please go ahead ;-)
> * osrelease/osreldate/print_version/uname - would it be acceptable to
> take the timestamp from debian/changelog, instead of recording the exact
> time the build was run?
Upstream does something similar with svn version number. I suggest you
look at newvers.sh, perhaps it can be expanded to support other variables.
--
Robert Millan
Reply to: