> Den 16/06/2015 kl. 23.50 skrev Holger Levsen <hol...@layer-acht.org>:
> "Reproducible builds enable anyone to reproduce bit by bit identical binary 
> packages from a given source, so that anyone can verify that a given binary 
> derived from the source it was said to be derived. " - right now you have to 
> *believe* someone that the binary really comes from said source. And you need 
> to *believe* the system building it wasn't compromised...

The build should be immune to the time of the build, of course. That's fairly 
easy (e.g. use 'ar -D' consistently and leave DEBUG_FLAGS empty).

But what about the user who started the build? This leaks to at least sendmail 
config files.

Being agnostic to the path to the src root (e.g. /usr/src or 
/home/erik/freebsd/HEAD/src) requires rewriting the compiler __FILE__ macro to 
insert a relative path, and make debuggers understand relative paths. This is 

The FreeBSD subversion revision is also leaked several places.

I think reproduce builds are a noble goal and would enable all sorts of smart 
analysis, e.g. which binaries are affected by a certain commit. Just remember 
to define the requirements that need to be satisfied to get reproduce builds.

Reproducible-builds mailing list

Reply via email to