On 20/09/15 19:22, Johannes Schauer wrote:
> Hi,
> Quoting Ximin Luo (2015-09-20 18:49:16)
>> Currently, to run a DDC test, we would have to read the buildinfo file, find
>> the hashes of the binary build-deps, lookup the source packages that
>> corresponds to these hashes, find a different binary build-deps for these
>> hashes, and run our DDC-checker. This takes many round trips, and contacting
>> external infrastructure that isn't necessary.
>> If .buildinfo files contained source hashes, the DDC-checker could work more
>> directly, without requiring a remote repository of source hash <-> binary
>> hash mappings.
> which packages would benefit from this?

Every package that is (or might be, in the future) a build-dep of another 
package would benefit, because it would make it easier to check (though this is 
being discussed in the other branch) that *source* build-deps result in a 
fixed-binary, regardless of how they are compiled (e.g. if they're compiled by 
something compromised).

gcc and clang are only examples for the DDC case, but the point generally 
applies to (a) { checking that binary0(source1)==binary1 } vs (b) { checking 
that source0(source1)==binary1 }. For DDC, we do (b) and select source0 = 
source1, but it's harder to select this if we only have information about (a).



Attachment: signature.asc
Description: OpenPGP digital signature

Reproducible-builds mailing list

Reply via email to