Re: Building packages three times in a row

To: debian-devel@lists.debian.org
Subject: Re: Building packages three times in a row
From: Martin Uecker <muecker@gmx.de>
Date: Mon, 24 Sep 2007 00:54:58 +0200
Message-id: <[🔎] 20070923225458.GA17386@bluestein>
Mail-followup-to: debian-devel@lists.debian.org, muecker@gmx.de
In-reply-to: <[🔎] 20070923230212.5a8c508a.codehelp@debian.org>

Neil Williams <codehelp@debian.org>:
> Martin Uecker <muecker@gmx.de> wrote:

[...]

> > 
> > I think it would be really cool if the Debian policy required
> > that packages could be rebuild bit-identical from source. 
> > At the moment, it is impossible to independly verify the
> > integricity of binary packages.
>
> This has been covered before - certain upstream macros are among 
> many factors that ensure that this is unlikely. I, for one, use such
> macros upstream to indicate the build time of the actual executable
> installed so this will change the binary every time it is built.

This could be fixed.

> You have md5sums and GnuPG signatures on the Release files - I see
> no benefit from bit-matching.

The build host could be compromised. Not that unlikely.


Martin

Reply to:

Follow-Ups:
- Re: Building packages three times in a row
  - From: Benjamin A'Lee <bma+lists@subvert.org.uk>
- Re: Building packages with exact binary matches
  - From: Neil Williams <codehelp@debian.org>

References:
- Re: Building packages three times in a row
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Re: Bug#443769: rt2500-source: Missing dependency on bzip2
Next by Date: Re: Some questions about Debian
Previous by thread: Re: Building packages three times in a row
Next by thread: Re: Building packages three times in a row
Index(es):
- Date
- Thread