[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building packages with exact binary matches

On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <muecker@gmx.de> said: 

>> On Mon, 24 Sep 2007 00:54:58 +0200
>> Martin Uecker <muecker@gmx.de> wrote:
>> > Neil Williams <codehelp@debian.org>:
>> > > This has been covered before - certain upstream macros are among
>> > > many factors that ensure that this is unlikely. I, for one, use
>> > > such macros upstream to indicate the build time of the actual
>> > > executable installed so this will change the binary every time it
>> > > is built.
>> > ac This could be fixed.
>> Fixed?? What the? You're asserting that this is a PROBLEM to be
>> fixed?

> If policy would require the exact reproducability of binaries, then it
> would be a policy violation.

        That is not how things work around here.  In a case like this,
 policy will _follow_ most packages being bit-for-bit identical, and
 can't be used as a stick to beat people on the head with.

> I do not see how this helps. Imagine a build host is compromised and
> this is noticed only after a few weeks. Theoretically every machine
> which downloaded and installed a package in this time could be
> compromised. And even worse: it is practically impossible to find out
> wether a package is actually affected!

        Actually, if you do not trust the path down which a binary
 package flows, you can not use any information down that flow path to
 test your implementation.  You need to do a full source audit, and
 build from source -- at which point, you might just install your trused
 binary, instead of trying to verify that the upstream package is the
 same as yours.

        If you find this inadequate, then your best bet to seeing this
 happen is to go ahead and start submitting patches to make package be
 bit-for-bit compatible -- starting with, perhaps, the essential
 packages.  Once you have enough of the packages converted, we can talk
 about making this a policy recommendation.

        I think building gcc builds it several times, and they had a
 neat trick of ignoring the first few bytes of a file which had the time
 stamp, and comparing the rest. You could try using that technique to
 compare files in packages.

        I, for one, think this technically infeasible, but hey, I'll be
 happy to be proved wrong.

"There can be no offense where none is taken" Japanese proverb
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: