https://bugzilla.redhat.com/show_bug.cgi?id=2338150
--- Comment #5 from Daniel Berrangé <[email protected]> --- (In reply to Richard W.M. Jones from comment #4) > Wondering out loud if we could rebuild the package anyway, and check the > binary > is the same (it's "reproducible" right?) without the Intel signature. If > so, go > with the Intel signed binary. But that's a ton of extra work. Yes, see notes here: https://fedoraproject.org/w/index.php?title=Changes/IntelSGX#Optional_extra:_reproducible_builds It is a ton of extra work, but I have in fact already done it all. https://gitlab.com/berrange/fedora-sgx-ng-copr/-/tree/main/linux-sgx-enclaves-reproducible2.22 https://gitlab.com/berrange/fedora-sgx-ng-copr/-/tree/main/linux-sgx-enclaves-reproducible2.23 https://gitlab.com/berrange/fedora-sgx-ng-copr/-/tree/main/linux-sgx-enclaves-reproducible2.24 https://gitlab.com/berrange/fedora-sgx-ng-copr/-/tree/main/linux-sgx-enclaves-reproducible2.25 https://copr.fedorainfracloud.org/coprs/berrange/sgx-ng/monitor/ It isn't practical to do it as part of this spec file though, because each individual pre-built enclaves is liable to come from a different SGX source version. The pre-built binaries are only re-issued when security fixes are needed, or when functional changes are introduced. It just happens that currently all enclaves do come from 2.25 sources, but in the past that wasn't the case and probably won't be in the future either. I contacted Intel to request that they *always* re-issue all pre-built enclaves with each release, but they rejected the request. Once everything else is merged, I'm still considering introducing the reproducible build packages as a followup, and trial it for a few years to see how practical it is, as it is conceptually desirable to prove reproducibility -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2338150 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202338150%23c5 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
