From owner-freebsd-security@freebsd.org Fri Sep 18 14:08:05 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 811B39CEF39; Fri, 18 Sep 2015 14:08:05 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 748181C49; Fri, 18 Sep 2015 14:08:05 +0000 (UTC) (envelope-from marquis@roble.com) Date: Fri, 18 Sep 2015 07:07:59 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: HTTPS on freebsd.org, git, reproducible builds In-Reply-To: <20150918134659.GB28949@FreeBSD.org> References: <86vbb7dhaa.fsf@nine.des.no> <20150918134659.GB28949@FreeBSD.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2015 14:08:05 -0000 Glen Barber wrote: > In fact, Debian has been kind enough to even provide a page that shows > which parts of the FreeBSD build are non-reproducible. > > https://reproducible.debian.net/freebsd/freebsd.html This issue is one of the reasons secure sites do not use binary packages or freebsd-update. It also illustrates problems admins have when required to buildworld/installworld when all they should need to do is "cd /usr/src/crypro/openssh&&make install" (for example). Does anyone have a link to the archived discussion detailing why this functionality was deprecated? These are good and timely subjects given recently published details of NSA/5 eyes methodologies as well as the issues freebsd security teams were having as recently as a few months ago. Roger Marquis Refs. https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/ http://www.linuxjournal.com/content/debian-project-aims-keep-cia-our-computers http://www.tedunangst.com/flak/post/reproducible-builds-are-a-waste-of-time