Date: Thu, 03 Dec 2015 18:11:27 -0330 From: "Jonathan Anderson" <jonathan@FreeBSD.org> To: "Ian Lepore" <ian@freebsd.org> Cc: "Warner Losh" <imp@bsdimp.com>, "Ed Maste" <emaste@freebsd.org>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: Removing build metadata, for reproducible kernel builds Message-ID: <E4AABB64-C5C7-44BD-91B9-E022D9D4D84E@FreeBSD.org> In-Reply-To: <1449177325.6214.14.camel@freebsd.org> References: <CAPyFy2AYeN9XNg=b0=JMWDC9ctWarfiZ-5zQorOPhguDJgxYpg@mail.gmail.com> <D9AF1C8B-431C-4359-988F-FDEEF8FAD981@bsdimp.com> <CAPyFy2CZYV%2B-5pDQjCA4Btct1VZUyEQUuL2iU1z07Ff-n2Y9Hg@mail.gmail.com> <CANCZdfqP3=%2BBHM_%2B=ZrNouGrXW5WAwHC87F2teEi%2BE2j-AMm6g@mail.gmail.com> <1449177325.6214.14.camel@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3 Dec 2015, at 17:45, Ian Lepore wrote: > I'm curious why anyone wants this enabled by default, like... are we > missing something? Does it improve freebsd-update behavior maybe? There is value in being able to reproduce the things you run, especially if you download them from somebody else (like releases or binary packages). It's not a panacea (see "Reflections on Trusting Trust"), but it’s helpful, even if you don't always do the reproduction work. The very fact that someone *can* check a binary release for naughtiness is a strong incentive for many adversaries not to try their hand. > If it's just for some general "reproducibility is good" philosophy > then > I would counter with "information is even better, so don't throw it > away without a good reason." When you're building your own stuff, sure, it might help to know that this is the kernel you built on "this machine" at "that time". When running 10.2-RELEASE-p7, however, it’s not very useful to know that it was built on amd64-builder.daemonology.net, or that the source tree was located at /usr/src. It *might* be useful to know that {set of people} all got kernels that hash to {some bit pattern} when they reproduced the build (like Certificate Transparency). Or, more interestingly, that {people using some configuration} got a different result. Again, like Certificate Transparency. :) > Reproducibility is good for some people, and completely useless for > others, and the people who need it aren't going to mind turning on a > knob or two to get what they want. Possibly. I don't have any strong opinions on whether the default is "reproducible" or "full of information that helps me identify busted kernels”, just so long as "reproducible" is available and easy to turn on. And my personal opinion is that it should be turned on for public releases: I think that being able to validate the kernel is more important than knowing what machine it was built on. >> Yea I was reading things backwards. >> >> In the review, I suggested that if you've modified the tree (which >> the SCM >> will tell you), then do the old format to preserve useful metadata >> that's >> really really needed and if not to use the shorter version. When >> you've >> modified the tree, reproducible builds aren't a concern at all. >> > > How are you going to determine what consitutes a modified tree? What > you think of as modifications may be what I call my baseline version. Since we host our code in Subversion and have an official Git mirror, how about svn status || git status? If you're basing your code off of anything other than an official mirror, you get to deal with the reproducibility problem yourself, but it sounds like many people in this camp would prefer the more verbose version string anyway. Jon -- Jonathan Anderson jonathan@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E4AABB64-C5C7-44BD-91B9-E022D9D4D84E>