On 23/09/07 at 23:32 +0200, Martin Uecker wrote: > > Patrick Winnertz wrote: > > Am Dienstag, 18. September 2007 21:12:44 schrieb Julien Cristau: > > > > Hmmhh, what do you do about programs etc that encode the build-time in > > > > the binary? I mean they obviously will change between builds? > > > > > > Hopefully they don't encode the build-time in the file list? > > We checked not for files which differ, but only for files which are missing > > in the first package. or which are missing in the second package. > > > > I think it would be really cool if the Debian policy required > that packages could be rebuild bit-identical from source. > At the moment, it is impossible to independly verify the > integricity of binary packages. We are currently very far from that. If you want to go that direction, you have to find a several-steps process that would make us go there. I compared the result of a one build, with the result of a package built three times, using debdiff. This has several flaws: - it only compared the list of files. If the same files are there, but with totally different size, it won't notice. - it didn't compare with what is in the archive: packages in the archive might be totally different, because they were built at a different time (with a different toolchain), or in a dirty environment. Basically, the goal you should aim at is "rebuilding a package should generate binary packages similar enough to what's already in the archive." Raphael's dpkg-shlibdeps work should also help with that, but it doesn't seem like #430367 has progressed recently? -- | Lucas Nussbaum | lucas@lucas-nussbaum.net http://www.lucas-nussbaum.net/ | | jabber: lucas@nussbaum.fr GPG: 1024D/023B3F4F |
Attachment:
signature.asc
Description: Digital signature