[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building packages three times in a row

On Sun, 23 Sep 2007 23:32:59 +0200
Martin Uecker <muecker@gmx.de> wrote:

> Patrick Winnertz wrote:
> > Am Dienstag, 18. September 2007 21:12:44 schrieb Julien Cristau:
> > > > Hmmhh, what do you do about programs etc that encode the build-time in
> > > > the binary? I mean they obviously will change between builds?
> > >
> > > Hopefully they don't encode the build-time in the file list?
> > We checked not for files which differ, but only for files which are missing 
> > in the first package. or which are missing in the second package.
> >
> I think it would be really cool if the Debian policy required
> that packages could be rebuild bit-identical from source. 
> At the moment, it is impossible to independly verify the
> integricity of binary packages.

This has been covered before - certain upstream macros are among many
factors that ensure that this is unlikely. I, for one, use such macros
upstream to indicate the build time of the actual executable installed
so this will change the binary every time it is built.

You have md5sums and GnuPG signatures on the Release files - I see no
benefit from bit-matching.


Neil Williams

Attachment: pgpD3YfIB9Ted.pgp
Description: PGP signature

Reply to: