[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building packages with exact binary matches

Manoj Srivastava <srivasta@debian.org> wrote:

> On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <muecker@gmx.de> said: 
> > If policy would require the exact reproducability of binaries, then it
> > would be a policy violation.
>        That is not how things work around here.  In a case like this,
> policy will _follow_ most packages being bit-for-bit identical, and
> can't be used as a stick to beat people on the head with.


> > I do not see how this helps. Imagine a build host is compromised and
> > this is noticed only after a few weeks. Theoretically every machine
> > which downloaded and installed a package in this time could be
> > compromised. And even worse: it is practically impossible to find out
> > wether a package is actually affected!
>        Actually, if you do not trust the path down which a binary
> package flows, you can not use any information down that flow path to
> test your implementation.  You need to do a full source audit, and
> build from source -- at which point, you might just install your trused
> binary, instead of trying to verify that the upstream package is the
> same as yours.

It would be enough when just a few people are actually recompiling the
binaries and compare it to the official debian packages. Then
*everbody* could trust that the packages are not modified,
because any modification would be detected immediatley. This is
only possible with bit-identical binaries.


Reply to: