Re: Raising the severity of reproduciblity issues to "important"

[Adrian Bunk <bunk@debian.org>]

On Mon, Aug 24, 2015 at 11:41:21PM +0200, Vincent Bernat wrote:
>  ❦ 24 août 2015 22:30 +0100, Colin Tuckley <colint@debian.org> :
> 
> >> We have pushed other archive-wide goals that were not shared by
> >> all upstreams. For example, we have enabled hardening build flags
> >> on almost all packages and for packages that don't obey to the
> >> appropriate flags, bugs with severity "important" were filed.
> >> That's not that different of a reproducible build.
> >
> > Sorry, but it's a *completely* different situation. The hardening
> > initiative made applications more secure and tamper resistant. The r-b
> > changes do nothing useful post-build.
> 
> Letting people independently check that the builds are not tampered is
> also a security application of reproducible builds. This is notably
> important for the binary packages that have been built on a maintainer
> machine instead of a builder.

The latter point is moot - if we still allow binary packages that have 
been built on a maintainer machine [1] into the archive by the time
everything installed on your computer will be reproducible, this would
be a huge fail itself.

AFAIK the only place where we currently still need binary packages that 
have been built on a maintainer machine is for NEW, and after someone
has implemented a solution for that there is no blocker left for 
allowing only source-only uploads from maintainers.

cu
Adrian

[1] these also have other frequent issues,
    most notably unclean built environments

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed