On Wed, 2022-05-11 at 19:38 +0200, Adam Borowski wrote: > You may want to talk to people responsible for that firmware, reproducible > builds sounds like an attainable goal to me. I don't have any of the hardware that supports SOF, so I'll leave that up to the firmware-sof-signed maintainer etc. We don't have the unsigned firmware (nor the needed cross-compiler packages) in Debian yet and as I understand it, there is very little hardware that can use the unsigned firmware and the Intel signed firmware is relatively easy to package, while a reproducibly built Intel signed firmware would be much more complex, so motivation to do this in Debian seems low. > On the other hand, an update to the compiler can make it produce different > binaries, making the signature invalid. Pinning the exact version of the > compiler would be unpleasant. Yeah, although perhaps Intel could be convinced to regularly re-build and re-sign their official firmware binaries using the latest compiler versions. Also there are relatively few compiler updates in stable. There are lots of distros with many different compiler builds, so asking for lots of builds might not get any sympathy. Maybe they could have a system to auto-bless distro-built binaries after builds. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part