[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Raising the severity of reproduciblity issues to "important"

On Mon, Aug 24, 2015 at 10:30:45PM +0100, Colin Tuckley wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 24/08/15 22:02, Vincent Bernat wrote:
> 
> > We have pushed other archive-wide goals that were not shared by
> > all upstreams. For example, we have enabled hardening build flags
> > on almost all packages and for packages that don't obey to the
> > appropriate flags, bugs with severity "important" were filed.
> > That's not that different of a reproducible build.
> 
> Sorry, but it's a *completely* different situation. The hardening
> initiative made applications more secure and tamper resistant. The r-b
> changes do nothing useful post-build.

Sorry, but this is not correct. You may not think it important, but that
doesn't mean it is useless post-build. The ability to independently
verify that the built binary did indeed come from a given source is a
*huge* benefit.

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: