Manoj Srivastava <[EMAIL PROTECTED]> wrote: > On Mon, 24 Sep 2007 04:56:45 +0200, Martin Uecker <[EMAIL PROTECTED]> said: > > > If policy would require the exact reproducability of binaries, then it > > would be a policy violation. > > That is not how things work around here. In a case like this, > policy will _follow_ most packages being bit-for-bit identical, and > can't be used as a stick to beat people on the head with.
Ok. > > I do not see how this helps. Imagine a build host is compromised and > > this is noticed only after a few weeks. Theoretically every machine > > which downloaded and installed a package in this time could be > > compromised. And even worse: it is practically impossible to find out > > wether a package is actually affected! > > Actually, if you do not trust the path down which a binary > package flows, you can not use any information down that flow path to > test your implementation. You need to do a full source audit, and > build from source -- at which point, you might just install your trused > binary, instead of trying to verify that the upstream package is the > same as yours. It would be enough when just a few people are actually recompiling the binaries and compare it to the official debian packages. Then *everbody* could trust that the packages are not modified, because any modification would be detected immediatley. This is only possible with bit-identical binaries. Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]