Philipp Kern asked about trying to do reproducible builds checks for
recent security updates to try to gain confidence about Debian's buildd
infrastructure, given that they run builds in sid chroots which may have
used or built or run a vulnerable xz-utils...
So far, I have not found any
John Gilmore:
> kpcyrd wrote:
>> 1) There's currently no way to tell if a package can be built offline
>> (without trying yourself).
>
> Packages that can't be built offline are not reproducible, by
> definition. They depend on outside events and circumstances
> in order for a third party to
kpcyrd wrote:
> 1) There's currently no way to tell if a package can be built offline
> (without trying yourself).
Packages that can't be built offline are not reproducible, by
definition. They depend on outside events and circumstances
in order for a third party to reproduce them
On 3/29/24 6:48 AM, John Gilmore wrote:
John Gilmore wrote:
Bootstrappable builds are a different thing. Worthwhile, but not
what I was asking for. I just wanted provable reproducibility from two
ISO images and nothing more.
I was asking that a bare amd64 be able to boot from an Arch Linux
https://www.openwall.com/lists/oss-security/2024/03/29/4
Exciting times
Hi again,
On Mon, 11 Mar 2024 at 18:24, James Addison wrote:
>
> Hi folks,
>
> On Wed, 6 Mar 2024 at 01:04, James Addison wrote:
> > [ ... snip ...]
> >
> > The Debian bug severity descriptions[1] provide some more nuance, and that
> > reassures me that wishlist should be appropriate for most
Hi,
The diffoscope maintainers are pleased to announce the release of
version 262 of diffoscope.
diffoscope tries to get to the bottom of what makes files or
directories different. It will recursively unpack archives of many
kinds and transform various binary formats into more human-readable