[Reproducible-builds] Reproducibility vs signatures
Jérémy Bobbio
lunar at debian.org
Mon Aug 3 08:27:37 UTC 2015
Ben Hutchings:
> At some point we're hopefully going to support Secure Boot on amd64.
> That means there will be a signed kernel image (separate from the
> current linux-image packages) and a signed GRUB image. The kernel
> modules in the linux-image packages will also be signed, probably with
> an ephemeral key.
>
> All these signatures will all be embedded within binaries and will of
> course not be reproducible. The locations of differences will however
> be predictable.
>
> How should we deal with this limited variability? Could source
> packages or buildinfo describe the expected variations somehow?
One way to solve this, although a bit wasteful on resource, is to use
the clean rule to perform a first build and create a signature to be
added to the source package.
See my suggest patch for wireless-regdb which implements this idea:
https://bugs.debian.org/725803#29
Would that be a good fit for Linux or GRUB?
--
Lunar .''`.
lunar at debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150803/5273a019/attachment.sig>
More information about the Reproducible-builds
mailing list