Date: Fri, 18 Sep 2015 14:49:01 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: grarpamp <grarpamp@gmail.com> Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: HTTPS on freebsd.org, git, reproducible builds Message-ID: <86vbb7dhaa.fsf@nine.des.no> In-Reply-To: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com> (grarpamp@gmail.com's message of "Thu, 17 Sep 2015 23:20:31 -0400") References: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
grarpamp <grarpamp@gmail.com> writes: > Not to mention the irreproducible builds / pkgs / ISO's. The base system build is 99% reproducible. ISOs should be reproducible as well, modulo timestamps. Reproducible packages are extremely difficult to get right. Baptiste spent a lot of time and effort trying to get them to work before the official switch to pkgng. Many packages compile the build host's name and / or the current date and time into various binaries. Python stores the timestamp of the original .py file into the .pyc file and will attempt to recompile it if that timestamp does not match or the .py file's mtime is equal to or greater than the .pyc file's mtime. Emacs does similar shenanigans with .el and .elc files. > These days these flaws are more than a bit ridiculous, You seem to be implying that everybody else is doing it except us. This is not true. Debian and Fedora are or have been working on it but with no success to date. > Can we get a wiki project page and some traction on this? https://wiki.freebsd.org/ReproducibleBuilds https://wiki.freebsd.org/PortsReproducibleBuilds Are you volunteering? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86vbb7dhaa.fsf>