On Mon, 24 Sep 2007 02:13:32 +0200 Martin Uecker <muecker@gmx.de> wrote: > The idea is not to replace hashes by bit-by-bit comparison, but to > be able to *independendly* reproduce binaries from source code in > a bit-identical way. And what is going to happen when I used gcc-4.2.2007foo and you use gcc-4.2.1 etc.? You have the .orig.tar.gz and you have the .diff.gz. The standard method is to compare the .orig.tar.gz and then use 'interdiff -z' against the new .diff.gz. > Then third parties can recreate the binaries > and publish recreated hashes. Why? I see no benefit. > If the recreated hashes are identical > then you can be sure that nobody has tempered with the build process You'll *only* get that if the build tools are identical - that isn't tampering, it is bug fixing. gcc is not bug-free, each new version can include new bugs or regressions - same applies to autotools, dpkg, etc.etc. > and the binary is actually created from the unmodified sources. == compare the .orig.tar.gz - nothing else is needed for that and all the current tools already handle this portion. > The > current scheme just protects against tempering after signing. That > is actually not very much. You have to trust a DD at some point. If you can't trust me to build packages properly, you'll just have to rebuild the entire archive yourself. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpkKjdK62yo2.pgp
Description: PGP signature