https://sourceware.org/bugzilla/show_bug.cgi?id=30978
--- Comment #4 from Frank Ch. Eigler <fche at redhat dot com> --- Note that the main problem with this sort of scheme is not the checksum (whether CRC or a hash). That part can help provide some assurance against accidental corruption. (Plus you'd need external checksums for source files, which can't get additional ELF doohickeys inserted. But you'd need crypto signatures on those hashes in order to protect against deliberate corruption anywhere between the original build system and your client. That in turn requires distribution of crypto keys. It goes well beyond the objcopy stuff. I'm not sure whether the debian ecosystem has started thinking about this stuff, but when/if they do, debuginfod should be adaptable to pass on whatever assurances are possible. -- You are receiving this mail because: You are on the CC list for the bug.
