[Reproducible-builds] .buildinfo should contain source hashes (as well as binary hashes)
Ximin Luo
infinity0 at debian.org
Mon Sep 21 10:38:45 UTC 2015
On 20/09/15 19:22, Johannes Schauer wrote:
> Hi,
>
> Quoting Ximin Luo (2015-09-20 18:49:16)
>> Currently, to run a DDC test, we would have to read the buildinfo file, find
>> the hashes of the binary build-deps, lookup the source packages that
>> corresponds to these hashes, find a different binary build-deps for these
>> hashes, and run our DDC-checker. This takes many round trips, and contacting
>> external infrastructure that isn't necessary.
>>
>> If .buildinfo files contained source hashes, the DDC-checker could work more
>> directly, without requiring a remote repository of source hash <-> binary
>> hash mappings.
>
> which packages would benefit from this?
>
Every package that is (or might be, in the future) a build-dep of another package would benefit, because it would make it easier to check (though this is being discussed in the other branch) that *source* build-deps result in a fixed-binary, regardless of how they are compiled (e.g. if they're compiled by something compromised).
gcc and clang are only examples for the DDC case, but the point generally applies to (a) { checking that binary0(source1)==binary1 } vs (b) { checking that source0(source1)==binary1 }. For DDC, we do (b) and select source0 = source1, but it's harder to select this if we only have information about (a).
X
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150921/55205fc5/attachment.sig>
More information about the Reproducible-builds
mailing list