[rb-general] [Gnuk-users] Reproducible builds for gnuk?

Vagrant Cascadian vagrant at debian.org
Fri Nov 24 19:19:47 CET 2017


On 2017-11-24, Erik Adler wrote:
> It would be nice if it was possible to compile Gnuk as a reproducible
> build.

Indeed!

We had a breif discussion about pakaging it for Debian, which has
infrastructure for automated reproducibility testing, but the main
blocker seemed to be issues around the USB ID enbedded in the binary,
and maybe the unique serial as well:

  https://lists.alioth.debian.org/pipermail/gnuk-users/2017q4/000603.html

The best way forward seemed to be to figure out a way to build a Gnuk
binary with an empty placeholder for USB ID/serial and a way to inject
them when installing to the actual device.

I'm guessing this is just coming down to someone writing the patches.


> More and more security related projects are going this route.
> This could be done is a docker container.

There is something to be said for getting reproducibility though a
sanitized build environment, as it works around some of the more
complicated challenges of reproducibility.


It would be a stronger security property to not require a sanitized
build environment, but merely document the toolchain and other factors
used to perform the build:

  https://reproducible-builds.org/docs/perimeter/

In recent versions of debian, tooling generates a .buildinfo file which
can be used to describe the build environment:

  https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20171124/9669d11c/attachment.sig>


More information about the rb-general mailing list