Ben Hutchings: > At some point we're hopefully going to support Secure Boot on amd64. > That means there will be a signed kernel image (separate from the > current linux-image packages) and a signed GRUB image. The kernel > modules in the linux-image packages will also be signed, probably with > an ephemeral key. > > All these signatures will all be embedded within binaries and will of > course not be reproducible. The locations of differences will however > be predictable. > > How should we deal with this limited variability? Could source > packages or buildinfo describe the expected variations somehow?
One way to solve this, although a bit wasteful on resource, is to use the clean rule to perform a first build and create a signature to be added to the source package. See my suggest patch for wireless-regdb which implements this idea: https://bugs.debian.org/725803#29 Would that be a good fit for Linux or GRUB? -- Lunar .''`. lu...@debian.org : :Ⓐ : # apt-get install anarchism `. `'` `-
signature.asc
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds