On Mon, 2015-08-03 at 10:27 +0200, Jérémy Bobbio wrote:
> Ben Hutchings:
> > At some point we're hopefully going to support Secure Boot on amd64.
> > That means there will be a signed kernel image (separate from the
> > current linux-image packages) and a signed GRUB image.  The kernel
> > modules in the linux-image packages will also be signed, probably with
> > an ephemeral key.
> > 
> > All these signatures will all be embedded within binaries and will of
> > course not be reproducible.  The locations of differences will however
> > be predictable.
> > 
> > How should we deal with this limited variability?  Could source
> > packages or buildinfo describe the expected variations somehow?
> One way to solve this, although a bit wasteful on resource, is to use
> the clean rule to perform a first build and create a signature to be
> added to the source package.

That sort of works as long as there's only one architecture we want to
do this for.  But the ability to verify modules is useful in general so
I would like to turn that on for all architectures.

> See my suggest patch for wireless-regdb which implements this idea:
> https://bugs.debian.org/725803#29
> Would that be a good fit for Linux or GRUB?

Not really; they both take a long time to build.


Ben Hutchings
Unix is many things to many people,
but it's never been everything to anybody.

Attachment: signature.asc
Description: This is a digitally signed message part

Reproducible-builds mailing list

Reply via email to