[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building packages three times in a row

Neil Williams <codehelp@debian.org>:
> Martin Uecker <muecker@gmx.de> wrote:


> > 
> > I think it would be really cool if the Debian policy required
> > that packages could be rebuild bit-identical from source. 
> > At the moment, it is impossible to independly verify the
> > integricity of binary packages.
> This has been covered before - certain upstream macros are among 
> many factors that ensure that this is unlikely. I, for one, use such
> macros upstream to indicate the build time of the actual executable
> installed so this will change the binary every time it is built.

This could be fixed.

> You have md5sums and GnuPG signatures on the Release files - I see
> no benefit from bit-matching.

The build host could be compromised. Not that unlikely.


Reply to: