[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gnu-prog-discuss] Automake dist reproducibility
|
From: |
Ludovic Courtès |
|
Subject: |
Re: [gnu-prog-discuss] Automake dist reproducibility |
|
Date: |
Tue, 22 Dec 2015 23:20:58 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Pádraig Brady <address@hidden> skribis:
> On 22/12/15 17:00, Mike Gerwitz wrote:
>> There is ongoing discussion about reproducible builds within GNU. I'm
>> having trouble figuring out the best approach for deterministic
>> distribution archives using Automake.
>
> I've not thought much about this, but I'm
> wondering about how useful deterministic tarballs are?
>
> The main thrust of reproducible builds is to verify what's
> running on the system, and there are so many variables
> between the tarball and build, that I'm not sure it's
> worth worrying about non determinism in the intermediate steps?
>
> Perhaps the main focus for tarballs should just to
> ensure they're properly signed.
You’re right that deterministic tarballs are not the immediate concern
of reproducible builds; usually, we focus on binaries.
However, if running ‘make dist’ at a given commit of a project leads to
exactly one tarball, then people can verify the tarball against the VCS
commit. This is especially interesting when people sign commits/tags.
We could authenticate code with much finer grain.
This also reduces incentives to attack the person that runs ‘make dist’
and signs the result since anyone could independently check the tarball.
Basically same motivation as with reproducible builds, but one level
higher.
Ludo’.