Re: Deterministic builds

To: Steven Chamberlain <steven@pyro.eu.org>
Cc: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Re: Deterministic builds
From: Robert Millan <rmh@debian.org>
Date: Wed, 18 Sep 2013 22:02:00 +0000
Message-id: <[🔎] 523A22D8.9010008@debian.org>
In-reply-to: <[🔎] 523A0879.4020607@pyro.eu.org>
References: <[🔎] 523A0879.4020607@pyro.eu.org>

Hi Steven,

Steven Chamberlain:
> For our kernels and maybe more, perhaps it would be beneficial to make
> sure builds are deterministic, or at least, try to produce identical
> output on every build from the same source.
> 
> The security rationale is that the build system can be audited this way,
> by someone else running a build on their own hardware, and the binaries
> (gzipped kernel image and modules) should match exactly.
> 
> But this might also be convenient to show precisely the effects of
> applying a security patch - to verify it has really been effective.  (A
> mistake like this was made in a security patch from upstream[0],
> although I noticed it in the source when applying).

Nice spotting, I never had thought of that...

> Some differences I've seen between kfreebsd-9 builds are:
> 
> * the gzipped kernel image contains a timestamp (can be avoided with the
> gzip -n flag)

Please go ahead ;-)

> * osrelease/osreldate/print_version/uname - would it be acceptable to
> take the timestamp from debian/changelog, instead of recording the exact
> time the build was run?

Upstream does something similar with svn version number. I suggest you
look at newvers.sh, perhaps it can be expanded to support other variables.

-- 
Robert Millan

Reply to:

Follow-Ups:
- Re: Deterministic builds
  - From: Steven Chamberlain <steven@pyro.eu.org>

References:
- Deterministic builds
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Deterministic builds
Next by Date: build ocsync & owncloud-client
Previous by thread: Deterministic builds
Next by thread: Re: Deterministic builds
Index(es):
- Date
- Thread