On Wed, Sep 11, 2013 at 12:26:28PM -0400, Braiam Miguel Peguero Novo wrote: > This is a question that was brought up at AskUbuntu[1], and I think > this is the authoritative list that can answer it. > > So, what are reproducible builds? I don't have the less idea... The > Debian wiki [2] is still a work-in-progress as far I can tell, but > seems like they are trying to "predict" the binaries from the change > in the sources and verify that the build bots are not compromised. I > believe this is trying to be a layer of protection against attacks to > the build bots in the attempt to compromise with foreign code the > packages.
With very few exceptions, nearly all of Debian's work on this will just be going into the packages that form part of the package build toolchain, and as such Ubuntu will inherit it over the natural course of merging and syncing packages from Debian. The possible exceptions are things like the proposed libfaketime etc. preloads that we might insert into builds; I'd certainly be keen to keep up to date with things Debian does in this area, not just to protect against intrusion but also because there are immediate practical benefits to doing so (safer multiarch handling). > The question is: will Canonical support this feature in the future? is > this being discussed? if it is, what is the status? I'm not aware that it's been specifically discussed, mostly because most of the relevant people are pretty heads-down working on the Ubuntu Touch product at the moment; but I also think there's work to be done in Debian first before we pick anything up. Cheers, -- Colin Watson [[email protected]] -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
