Re: Reproducible Builds for recent Debian security updates
- To: Vagrant Cascadian <vagrant@reproducible-builds.org>
- Cc: rb-general@lists.reproducible-builds.org, debian-wb-team@lists.debian.org, team@security.debian.org, Philipp Kern <pkern@debian.org>, zeha@debian.org
- Subject: Re: Reproducible Builds for recent Debian security updates
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 30 Mar 2024 23:16:09 +0100
- Message-id: <[🔎] ZgiPKVa0T7tO9TRk@eldamar.lan>
- Mail-followup-to: Vagrant Cascadian <vagrant@reproducible-builds.org>, rb-general@lists.reproducible-builds.org, debian-wb-team@lists.debian.org, team@security.debian.org, Philipp Kern <pkern@debian.org>, zeha@debian.org
- In-reply-to: <[🔎] 87zfuf5qb4.fsf@wireframe>
- References: <[🔎] 8734s878b8.fsf@wireframe> <[🔎] ZgfyO25CH12ScLWb@eldamar.lan> <[🔎] 87zfuf5qb4.fsf@wireframe>
Hi,
On Sat, Mar 30, 2024 at 03:05:03PM -0700, Vagrant Cascadian wrote:
> On 2024-03-30, Salvatore Bonaccorso wrote:
> > On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
> >> Philipp Kern asked about trying to do reproducible builds checks for
> >> recent security updates to try to gain confidence about Debian's buildd
> >> infrastructure, given that they run builds in sid chroots which may have
> >> used or built or run a vulnerable xz-utils...
> ...
> > Thanks a lot for doing this verification work!
>
> It is such an obvious application for Reproducible Builds that many
> people have worked on for many years. So... I daresay, my pleasure and
> honor. :)
>
>
> > There would be an upcoming (or actually postponed) util-linux update
> > as well. Could you as extra paranoia please verify these here as well
> > (I assume its enough for you that the source package is signed, I
> > stripped the signature from the changes):
> >
> > https://people.debian.org/~carnil/tmp/util-linux/
>
> I don't see any source packages there, just .deb .changes and signed
> .buildinfo files! The signed .buildinfo files are great, but would
> definitely need the source code ... looks like the util-linux changes
> are in a git branch, but a signed .dsc would be nice just to be sure I
> am testing the same thing. That said, testing from git and getting
> bit-for-bit identical results ... would be confidence inspiring!
> Hmmm. Might just go for it, and if we have issues, maybe try to dig up
> the .dsc? :)
Sorry that was my fault obviously. The orig,tar.xz debian.tar.xz and
dsc files are now there as well.
Regards,
Salvatore
Reply to: