Scripsit "James R. Van Zandt" <[EMAIL PROTECTED]> > - Allow an automated comparison of the two .debs. This would take > some work to set up, but I would hope to detect a binary that > doesn't correspond to the claimed sources. Also incorrect version > of a compiler and different library versions than claimed in the > dependencies.
There are many build tools that embed timestamps into the files being built, each in their own way and with their own format. Building the same package twice in the same, clean, environment will in general lead to .debs where the content of binary files differ in many places. An automated comparison would need package-specific overrides for a nontrivial percentage of our source packages. If the maintainer declares the overrides, we don't gain security against deliberate trojanings. If not, then whom _do_ we trust enough to maintain the override database? And what useful work would they have to skip in order to main comparison overrides? -- Henning Makholm "40.9931 lightfortnight-barns per nanopint" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
