[Reproducible-builds] jenkins.debian.net quality monitoring feedback...

Holger Levsen holger at layer-acht.org
Sun Mar 8 10:31:34 UTC 2015

Hi marty,

On Sonntag, 8. März 2015, marty h wrote:
> Hi Holger...
> I was excited to read about your work in theregister the other week and
> posted the article on a debian forum:
> http://forums.debian.net/viewtopic.php?f=20&t=120633
> One of the post respondents, tomazzi provided the feedback pasted below.
> What would be your response in regards to his rationale? Would you mind if
> i posted your reply in the forum? Thanks in advance for any feedback you
> are able to provide. All the best with your project.

thanks. (just please send further followups to the mailinglist and not to me 
directly. I've bcc:'ed you as I'm not sure you are fine with your address on a 
public list.)

i'll keep it very brief as its really all documented.
> =====================================================
> tomazzi wrote:
> To be honest, I don't get the rationale for this project:
> - Source packages are digitally signed,
> - Binary packages are digitally signed.
> So: the only way to have an "untrusted binary" is to use 3rd party packages
> or non-official sources.

reproducible builds are about enabling *everyone* to be able to independently 
confirm that a certain binary is derived from a certain source. (and this is 
done by creating bit-identical rebuilds.)

today you have to trust *somewone*, who says "this binary comes from this 
source". but noone can confirm this...

> I
>  understand, that a way to confirm that a signed 3rd party package is
> compiled from official sources could be useful (nobody should even try
> unsigned binaries) - but this is not a case in Debian - so what is this
> all about?

see above.

I suggest you see watch this video:


this is a short intro about the project:


or this: https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html

> Anyway and definitely, this is bullshit:
> The
>  biggest such gap is that compilation and packaging processes aren't
> reproducible. Trying to recreate these processes typically yields a
> different result.

this can be fixed and this is what the project is about.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150308/42e727dd/attachment.sig>

More information about the Reproducible-builds mailing list