Hi marty, On Sonntag, 8. März 2015, marty h wrote: > Hi Holger... > > I was excited to read about your work in theregister the other week and > posted the article on a debian forum: > http://forums.debian.net/viewtopic.php?f=20&t=120633 > > One of the post respondents, tomazzi provided the feedback pasted below. > What would be your response in regards to his rationale? Would you mind if > i posted your reply in the forum? Thanks in advance for any feedback you > are able to provide. All the best with your project.
thanks. (just please send further followups to the mailinglist and not to me directly. I've bcc:'ed you as I'm not sure you are fine with your address on a public list.) i'll keep it very brief as its really all documented. > ===================================================== > tomazzi wrote: > > To be honest, I don't get the rationale for this project: > - Source packages are digitally signed, > - Binary packages are digitally signed. > So: the only way to have an "untrusted binary" is to use 3rd party packages > or non-official sources. reproducible builds are about enabling *everyone* to be able to independently confirm that a certain binary is derived from a certain source. (and this is done by creating bit-identical rebuilds.) today you have to trust *somewone*, who says "this binary comes from this source". but noone can confirm this... > I > understand, that a way to confirm that a signed 3rd party package is > compiled from official sources could be useful (nobody should even try > unsigned binaries) - but this is not a case in Debian - so what is this > all about? see above. I suggest you see watch this video: http://meetings-archive.debian.net/pub/debian-meetings/2015/fosdem/ this is a short intro about the project: https://fosdem.org/2015/interviews/2015-holger-levsen/ or this: https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html > Anyway and definitely, this is bullshit: > The > biggest such gap is that compilation and packaging processes aren't > reproducible. Trying to recreate these processes typically yields a > different result. this can be fixed and this is what the project is about. cheers, Holger
Description: This is a digitally signed message part.
_______________________________________________ Reproducible-builds mailing list Reproduciblefirstname.lastname@example.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds