Simon Hobson writes:
My memory on the details are vague, but there's been a project (Part of Debian ?) to "prove" that a binary was created from a given source - not trivial since slight differences in environment and compiler optimisations mean that simply compiling the source won't always create an identical binary.
There have been several, I didn't know that debian had one but it doesn't surprise me in the least.
I remember gcc 1.42 had bugs that bothered such a project... god, it's 25 years ago already. Gcc would produce equivalent code but not bit-for-bit identical due to a buglet in the register allocator. That got fixed. Other similar projects got other bugs fixed (I remember several tools that included the build date/time in object files for instance), so that nowadays it's mostly a question of matching the build environment. Suse did good work on that, also 10+ years ago, and (IIRC — I have only little experience with debian packages) you can build/rebuild debian packages in a fully-specified chroot, too.
Some well-known open source packages do it today, Signal on Android for example. If you know java and the build tools, it's easy to check that the app you run was built from the source on github. You may not trust the compiler, but you can verify that the compiler does the same for you as it does for the Signal developers.
At a guess, reproducibility hasn't become mainstream simply because most people who talk about it aren't satisfied anyway. If you spend time on reproducible builds, the people who talk about it it shift to arguing about who should be trusted to sign or whether the compiler/bootloader/microcode might have a backdoor. Someone always pulls out Ken Thomson's hack. In the end the time and work leads to no concrete result.
Arnt _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
