Re: Building packages with exact binary matches
On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <firstname.lastname@example.org> said:
>> On Mon, 24 Sep 2007 00:54:58 +0200
>> Martin Uecker <email@example.com> wrote:
>> > Neil Williams <firstname.lastname@example.org>:
>> > > This has been covered before - certain upstream macros are among
>> > > many factors that ensure that this is unlikely. I, for one, use
>> > > such macros upstream to indicate the build time of the actual
>> > > executable installed so this will change the binary every time it
>> > > is built.
>> > ac This could be fixed.
>> Fixed?? What the? You're asserting that this is a PROBLEM to be
> If policy would require the exact reproducability of binaries, then it
> would be a policy violation.
That is not how things work around here. In a case like this,
policy will _follow_ most packages being bit-for-bit identical, and
can't be used as a stick to beat people on the head with.
> I do not see how this helps. Imagine a build host is compromised and
> this is noticed only after a few weeks. Theoretically every machine
> which downloaded and installed a package in this time could be
> compromised. And even worse: it is practically impossible to find out
> wether a package is actually affected!
Actually, if you do not trust the path down which a binary
package flows, you can not use any information down that flow path to
test your implementation. You need to do a full source audit, and
build from source -- at which point, you might just install your trused
binary, instead of trying to verify that the upstream package is the
same as yours.
If you find this inadequate, then your best bet to seeing this
happen is to go ahead and start submitting patches to make package be
bit-for-bit compatible -- starting with, perhaps, the essential
packages. Once you have enough of the packages converted, we can talk
about making this a policy recommendation.
I think building gcc builds it several times, and they had a
neat trick of ignoring the first few bytes of a file which had the time
stamp, and comparing the rest. You could try using that technique to
compare files in packages.
I, for one, think this technically infeasible, but hey, I'll be
happy to be proved wrong.
"There can be no offense where none is taken" Japanese proverb
Manoj Srivastava <email@example.com> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C