Hi marty,

On Sonntag, 8. März 2015, marty h wrote:
> Hi Holger...
> 
> I was excited to read about your work in theregister the other week and
> posted the article on a debian forum:
> http://forums.debian.net/viewtopic.php?f=20&t=120633
> 
> One of the post respondents, tomazzi provided the feedback pasted below.
> What would be your response in regards to his rationale? Would you mind if
> i posted your reply in the forum? Thanks in advance for any feedback you
> are able to provide. All the best with your project.

thanks. (just please send further followups to the mailinglist and not to me 
directly. I've bcc:'ed you as I'm not sure you are fine with your address on a 
public list.)

i'll keep it very brief as its really all documented.
 
> =====================================================
> tomazzi wrote:
> 
> To be honest, I don't get the rationale for this project:
> - Source packages are digitally signed,
> - Binary packages are digitally signed.
> So: the only way to have an "untrusted binary" is to use 3rd party packages
> or non-official sources.

reproducible builds are about enabling *everyone* to be able to independently 
confirm that a certain binary is derived from a certain source. (and this is 
done by creating bit-identical rebuilds.)

today you have to trust *somewone*, who says "this binary comes from this 
source". but noone can confirm this...

> I
>  understand, that a way to confirm that a signed 3rd party package is
> compiled from official sources could be useful (nobody should even try
> unsigned binaries) - but this is not a case in Debian - so what is this
> all about?

see above.

I suggest you see watch this video:

http://meetings-archive.debian.net/pub/debian-meetings/2015/fosdem/

this is a short intro about the project:

https://fosdem.org/2015/interviews/2015-holger-levsen/

or this: https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html

> Anyway and definitely, this is bullshit:
> The
>  biggest such gap is that compilation and packaging processes aren't
> reproducible. Trying to recreate these processes typically yields a
> different result.

this can be fixed and this is what the project is about.


cheers,
        Holger

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to