Re: Compromising Debian Repositories

To: debian-security@lists.debian.org
Subject: Re: Compromising Debian Repositories
From: adrelanos <adrelanos@riseup.net>
Date: Thu, 22 Aug 2013 13:53:43 +0000
Message-id: <[🔎] 521617E7.40807@riseup.net>
In-reply-to: <[🔎] 844nai8bwe.fsf@sauna.l.org>
References: <[🔎] CAKhc=u4jKgHLdsXpTB2ecQ1T2CEv-AMa5geM6OqN+sgcYKnP8g@mail.gmail.com> <[🔎] 52150286.1000003@riseup.net> <[🔎] 844nai8bwe.fsf@sauna.l.org>

Timo Juhani Lindfors:
> adrelanos <adrelanos@riseup.net> writes:
>> Some Debian maintainers are working on deterministic builds, although
>> they call it reproducible builds, that's great! Link:
>> https://wiki.debian.org/ReproducibleBuilds
> 
> Terminology is hard :) As mentioned in the bof we can make sure that the
> build is deterministic or we can record sources of randomness
> (gettimeofday calls etc.) and then replay then in subsequent
> builds. Would that still qualify as deterministic for you?

I am not nitpicking on the term. :) Any is fine. However you call it, I
am very excited about the fact, that there are people interested in it.

The end result would be the same? No security advantage/disadvantage for
one or another method? The latter method might pay off later and ease
porting more packages?

Reply to:

References:
- Compromising Debian Repositories
  - From: Daniel Sousa <daniel@sousa.me>
- Re: Compromising Debian Repositories
  - From: adrelanos <adrelanos@riseup.net>
- Re: Compromising Debian Repositories
  - From: Timo Juhani Lindfors <timo.lindfors@iki.fi>

Prev by Date: Re: Compromising Debian Repositories
Next by Date: Re: Compromising Debian Repositories
Previous by thread: Re: Compromising Debian Repositories
Next by thread: Re: Compromising Debian Repositories
Index(es):
- Date
- Thread