Date: Wed, 17 Jun 2015 11:07:12 +0200 From: Erik Cederstrand <erik+lists@cederstrand.dk> To: Holger Levsen <holger@layer-acht.org> Cc: freebsd-hackers@freebsd.org, reproducible-builds@lists.alioth.debian.org Subject: Re: reproducible builds of FreeBSD in a chroot on Linux Message-ID: <387AA935-C074-4F95-A465-E525F7F0E188@cederstrand.dk> In-Reply-To: <201506162350.11646.holger@layer-acht.org> References: <201505071122.36037.holger@layer-acht.org> <554B509B.8020608@fuckner.net> <201506162350.11646.holger@layer-acht.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Den 16/06/2015 kl. 23.50 skrev Holger Levsen <holger@layer-acht.org>: >=20 > "Reproducible builds enable anyone to reproduce bit by bit identical = binary=20 > packages from a given source, so that anyone can verify that a given = binary=20 > derived from the source it was said to be derived. " - right now you = have to=20 > *believe* someone that the binary really comes from said source. And = you need=20 > to *believe* the system building it wasn't compromised... The build should be immune to the time of the build, of course. That's = fairly easy (e.g. use 'ar -D' consistently and leave DEBUG_FLAGS empty). But what about the user who started the build? This leaks to at least = sendmail config files. Being agnostic to the path to the src root (e.g. /usr/src or = /home/erik/freebsd/HEAD/src) requires rewriting the compiler __FILE__ = macro to insert a relative path, and make debuggers understand relative = paths. This is hard. The FreeBSD subversion revision is also leaked several places. I think reproduce builds are a noble goal and would enable all sorts of = smart analysis, e.g. which binaries are affected by a certain commit. = Just remember to define the requirements that need to be satisfied to = get reproduce builds. Erik=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?387AA935-C074-4F95-A465-E525F7F0E188>