binutils-dev: included log files introduce reproducibility issues
lamby at debian.org
Tue Feb 25 01:57:04 GMT 2020
Vagrant Cascadian wrote:
> > Or you could add a override database for files which are expected to differ.
> This is considerably more complicated than running a checksum on the
> resulting .deb files and is another opportunity for bugs to lead to
> incorrect reproducibility results...
I would very much underline Vagrant's hesitation regarding a
centralised database. Such overrides would get out of date (or at
least out of sync) amongst many many other concerns including it,
albeit at a slight stretch, being a possible attack vector.
The ability to check reproducibility with no other knowledge or tools
other than cmp(1) or sha256sum(1) etc. does not seem to be that
important as it might initially appear but it extremely valuable as it
is so simple, engendering trust, lowering the barrier to entry,
reducing mistakes, etc. etc.
> which I think has actually happened when trying this kind of approach
> in the past, though I don't have a reference off the top of my head.
(Vagrant, are you perchance thinking of RPM? If I recall correctly, the
signatures in question there are embedded in the .rpm itself so you
need a special tool to even extract them.)
: :' : Chris Lamb
`. `'` lamby at debian.org 🍥 chris-lamb.co.uk
More information about the Reproducible-builds