From owner-freebsd-questions@freebsd.org  Fri Sep 18 14:08:05 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 811B39CEF39;
 Fri, 18 Sep 2015 14:08:05 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 748181C49;
 Fri, 18 Sep 2015 14:08:05 +0000 (UTC)
 (envelope-from marquis@roble.com)
Date: Fri, 18 Sep 2015 07:07:59 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
cc: freebsd-questions@freebsd.org
Subject: Re: HTTPS on freebsd.org, git, reproducible builds
In-Reply-To: <20150918134659.GB28949@FreeBSD.org>
References: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com>
 <86vbb7dhaa.fsf@nine.des.no> <20150918134659.GB28949@FreeBSD.org>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2015 14:08:05 -0000

Glen Barber wrote:
> In fact, Debian has been kind enough to even provide a page that shows
> which parts of the FreeBSD build are non-reproducible.
>
> https://reproducible.debian.net/freebsd/freebsd.html

This issue is one of the reasons secure sites do not use binary packages
or freebsd-update.  It also illustrates problems admins have when
required to buildworld/installworld when all they should need to do is
"cd /usr/src/crypro/openssh&&make install" (for example).  Does anyone
have a link to the archived discussion detailing why this functionality
was deprecated?

These are good and timely subjects given recently published details of
NSA/5 eyes methodologies as well as the issues freebsd security teams
were having as recently as a few months ago.

Roger Marquis

Refs.
   https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/
   http://www.linuxjournal.com/content/debian-project-aims-keep-cia-our-computers
   http://www.tedunangst.com/flak/post/reproducible-builds-are-a-waste-of-time