[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building packages three times in a row

On Mon, 24 Sep 2007 02:13:32 +0200
Martin Uecker <muecker@gmx.de> wrote:

> The idea is not to replace hashes by bit-by-bit comparison, but to
> be able to *independendly* reproduce binaries from source code in
> a bit-identical way. 

And what is going to happen when I used gcc-4.2.2007foo and you use
gcc-4.2.1 etc.? You have the .orig.tar.gz and you have the .diff.gz.
The standard method is to compare the .orig.tar.gz and then use
'interdiff -z' against the new .diff.gz.

> Then third parties can recreate the binaries
> and publish recreated hashes. 

Why? I see no benefit.

> If the recreated hashes are identical
> then you can be sure that nobody has tempered with the build process

You'll *only* get that if the build tools are identical - that isn't
tampering, it is bug fixing. gcc is not bug-free, each new version can
include new bugs or regressions - same applies to autotools, dpkg, etc.etc.

> and the binary is actually created from the unmodified sources.

== compare the .orig.tar.gz - nothing else is needed for that and all
the current tools already handle this portion.

> The
> current scheme just protects against tempering after signing. That
> is actually not very much.

You have to trust a DD at some point. If you can't trust me to build
packages properly, you'll just have to rebuild the entire archive


Neil Williams

Attachment: pgpLBJTs5sAOv.pgp
Description: PGP signature

Reply to: