[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building packages three times in a row

On Mon, Sep 24, 2007 at 12:54:58AM +0200, Martin Uecker wrote:
> Neil Williams <codehelp@debian.org>:
> > This has been covered before - certain upstream macros are among 
> > many factors that ensure that this is unlikely. I, for one, use such
> > macros upstream to indicate the build time of the actual executable
> > installed so this will change the binary every time it is built.
> This could be fixed.

In every binary that includes the build date in it? There's rather a
lot; off the top of my head, Vim does it, and so does the Linux kernel

> > You have md5sums and GnuPG signatures on the Release files - I see
> > no benefit from bit-matching.
> The build host could be compromised. Not that unlikely.

And if the build host was compromised, how would that help any more than
md5sums and gpg-signing? With access to the build host, whatever list of
bits to match could be changed along with the binary, the md5sum, and
the gpg-signature.

Anyway, surely the point of hashes like md5, sha1, etc, is that it's
much faster to do that than to compare large files bit by bit?

Benjamin A'Lee <bma@subvert.org.uk>

Attachment: signature.asc
Description: Digital signature

Reply to: