On Sun, 23 Sep 2007 23:32:59 +0200 Martin Uecker <muecker@gmx.de> wrote: > > Patrick Winnertz wrote: > > Am Dienstag, 18. September 2007 21:12:44 schrieb Julien Cristau: > > > > Hmmhh, what do you do about programs etc that encode the build-time in > > > > the binary? I mean they obviously will change between builds? > > > > > > Hopefully they don't encode the build-time in the file list? > > We checked not for files which differ, but only for files which are missing > > in the first package. or which are missing in the second package. > > > > I think it would be really cool if the Debian policy required > that packages could be rebuild bit-identical from source. > At the moment, it is impossible to independly verify the > integricity of binary packages. This has been covered before - certain upstream macros are among many factors that ensure that this is unlikely. I, for one, use such macros upstream to indicate the build time of the actual executable installed so this will change the binary every time it is built. You have md5sums and GnuPG signatures on the Release files - I see no benefit from bit-matching. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpZEus_4z76N.pgp
Description: PGP signature