[Reproducible-builds] jenkins.debian.net quality monitoring feedback...
Holger Levsen
holger at layer-acht.org
Sun Mar 8 10:31:34 UTC 2015
Hi marty,
On Sonntag, 8. März 2015, marty h wrote:
> Hi Holger...
>
> I was excited to read about your work in theregister the other week and
> posted the article on a debian forum:
> http://forums.debian.net/viewtopic.php?f=20&t=120633
>
> One of the post respondents, tomazzi provided the feedback pasted below.
> What would be your response in regards to his rationale? Would you mind if
> i posted your reply in the forum? Thanks in advance for any feedback you
> are able to provide. All the best with your project.
thanks. (just please send further followups to the mailinglist and not to me
directly. I've bcc:'ed you as I'm not sure you are fine with your address on a
public list.)
i'll keep it very brief as its really all documented.
> =====================================================
> tomazzi wrote:
>
> To be honest, I don't get the rationale for this project:
> - Source packages are digitally signed,
> - Binary packages are digitally signed.
> So: the only way to have an "untrusted binary" is to use 3rd party packages
> or non-official sources.
reproducible builds are about enabling *everyone* to be able to independently
confirm that a certain binary is derived from a certain source. (and this is
done by creating bit-identical rebuilds.)
today you have to trust *somewone*, who says "this binary comes from this
source". but noone can confirm this...
> I
> understand, that a way to confirm that a signed 3rd party package is
> compiled from official sources could be useful (nobody should even try
> unsigned binaries) - but this is not a case in Debian - so what is this
> all about?
see above.
I suggest you see watch this video:
http://meetings-archive.debian.net/pub/debian-meetings/2015/fosdem/
this is a short intro about the project:
https://fosdem.org/2015/interviews/2015-holger-levsen/
or this: https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html
> Anyway and definitely, this is bullshit:
> The
> biggest such gap is that compilation and packaging processes aren't
> reproducible. Trying to recreate these processes typically yields a
> different result.
this can be fixed and this is what the project is about.
cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150308/42e727dd/attachment.sig>
More information about the Reproducible-builds
mailing list