Reproducible builds
If on current and a package is built from source shouldn't the binaries be identical to what's installed? I was surprised when a package with only three core libraries (using ldd) was a different size than the installed binary. Mine was 104 bytes larger. I may have to use objdump to determine what's different. I was thinking maybe a couple or few bytes for timestamps or something but not 104.
I'm not super worried, more curious, so don't anybody freak. If you're curious about reproducible builds here's debian's ambitious project. https://wiki.debian.org/ReproducibleBuilds |
No, because the official package may not have been built in -current. There's a rather long thread around here where that is discussed.
|
Pat updates -current by rebuilding a few packages at a time. Obviously, that means that most of the packages in -current weren't built against the current snapshot.
|
|
If you have ever read up hard dependencies versus soft dependencies, it should explain it better.
|
Thank you ponce for that link !
I wasn't around much last Fall ( 13.37 was working just fine for me on my trusty-old 2011 Laptop :) ). I've saved the link in my URL Lint in my Security-Related/ Directory And thanks to 55020 for post #13 ! -- kjh |
Quote:
|
I read over debian's page some and got here:
https://wiki.debian.org/Reproducible...oSpecification I think calling it "reproducible builds" is a bit misleading. I would call it an audit. And they are capturing enough of a fingerprint so that hopefully the build system can be fully recreated where a package was built on. They are not saying that the packages must be built 100% identically in each stable release, but I could have missed it. But reproducible builds would be a nice side-effect. Audits are good, but I don't think it should be required of distributions to track this much detail, nor to rebuild the entire package set prior to a stable release. I do think much fear of not knowing all the details can go away based on how you trust your tool-chain. I don't think that simply automating this into the packaging system really is going to gain much. |
Quote:
There was a lot of applause. |
The talk was given at fosdem2016.
http://video.fosdem.org/2016/janson/...ble-builds.mp4 https://archive.fosdem.org/2016/sche..._ecosystem.pdf |
All times are GMT -5. The time now is 06:25 AM. |