Re: Recompilation of ALL Debian packages ...

[Henning Makholm <henning@makholm.net>]

Scripsit "James R. Van Zandt" <jrvz@comcast.net>

>  - Allow an automated comparison of the two .debs.  This would take
>    some work to set up, but I would hope to detect a binary that
>    doesn't correspond to the claimed sources.  Also incorrect version
>    of a compiler and different library versions than claimed in the
>    dependencies.

There are many build tools that embed timestamps into the files being
built, each in their own way and with their own format.  Building the
same package twice in the same, clean, environment will in general
lead to .debs where the content of binary files differ in many places.

An automated comparison would need package-specific overrides for a
nontrivial percentage of our source packages. If the maintainer
declares the overrides, we don't gain security against deliberate
trojanings. If not, then whom _do_ we trust enough to maintain the
override database? And what useful work would they have to skip in
order to main comparison overrides?

-- 
Henning Makholm                  "40.9931 lightfortnight-barns per nanopint"