Hi Steven, Steven Chamberlain: > For our kernels and maybe more, perhaps it would be beneficial to make > sure builds are deterministic, or at least, try to produce identical > output on every build from the same source. > > The security rationale is that the build system can be audited this way, > by someone else running a build on their own hardware, and the binaries > (gzipped kernel image and modules) should match exactly. > > But this might also be convenient to show precisely the effects of > applying a security patch - to verify it has really been effective. (A > mistake like this was made in a security patch from upstream[0], > although I noticed it in the source when applying).
Nice spotting, I never had thought of that... > Some differences I've seen between kfreebsd-9 builds are: > > * the gzipped kernel image contains a timestamp (can be avoided with the > gzip -n flag) Please go ahead ;-) > * osrelease/osreldate/print_version/uname - would it be acceptable to > take the timestamp from debian/changelog, instead of recording the exact > time the build was run? Upstream does something similar with svn version number. I suggest you look at newvers.sh, perhaps it can be expanded to support other variables. -- Robert Millan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
