Hi, For our kernels and maybe more, perhaps it would be beneficial to make sure builds are deterministic, or at least, try to produce identical output on every build from the same source.
The security rationale is that the build system can be audited this way, by someone else running a build on their own hardware, and the binaries (gzipped kernel image and modules) should match exactly. But this might also be convenient to show precisely the effects of applying a security patch - to verify it has really been effective. (A mistake like this was made in a security patch from upstream[0], although I noticed it in the source when applying). It might make it easy to see when toolchain changes have effects too, once all other noise is removed. Some differences I've seen between kfreebsd-9 builds are: * the gzipped kernel image contains a timestamp (can be avoided with the gzip -n flag) * osrelease/osreldate/print_version/uname - would it be acceptable to take the timestamp from debian/changelog, instead of recording the exact time the build was run? [0]: http://lists.freebsd.org/pipermail/freebsd-security/2012-June/006346.html Regards, -- Steven Chamberlain [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
