Re: Building packages with exact binary matches
Manoj Srivastava <firstname.lastname@example.org> wrote:
> On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <email@example.com> said:
> > If policy would require the exact reproducability of binaries, then it
> > would be a policy violation.
> That is not how things work around here. In a case like this,
> policy will _follow_ most packages being bit-for-bit identical, and
> can't be used as a stick to beat people on the head with.
> > I do not see how this helps. Imagine a build host is compromised and
> > this is noticed only after a few weeks. Theoretically every machine
> > which downloaded and installed a package in this time could be
> > compromised. And even worse: it is practically impossible to find out
> > wether a package is actually affected!
> Actually, if you do not trust the path down which a binary
> package flows, you can not use any information down that flow path to
> test your implementation. You need to do a full source audit, and
> build from source -- at which point, you might just install your trused
> binary, instead of trying to verify that the upstream package is the
> same as yours.
It would be enough when just a few people are actually recompiling the
binaries and compare it to the official debian packages. Then
*everbody* could trust that the packages are not modified,
because any modification would be detected immediatley. This is
only possible with bit-identical binaries.