Re: Building packages three times in a row
Neil Williams <firstname.lastname@example.org>:
> Martin Uecker <email@example.com> wrote:
> > I think it would be really cool if the Debian policy required
> > that packages could be rebuild bit-identical from source.
> > At the moment, it is impossible to independly verify the
> > integricity of binary packages.
> This has been covered before - certain upstream macros are among
> many factors that ensure that this is unlikely. I, for one, use such
> macros upstream to indicate the build time of the actual executable
> installed so this will change the binary every time it is built.
This could be fixed.
> You have md5sums and GnuPG signatures on the Release files - I see
> no benefit from bit-matching.
The build host could be compromised. Not that unlikely.