[rb-general] [Gnuk-users] Reproducible builds for gnuk?
Vagrant Cascadian
vagrant at debian.org
Fri Nov 24 19:19:47 CET 2017
On 2017-11-24, Erik Adler wrote:
> It would be nice if it was possible to compile Gnuk as a reproducible
> build.
Indeed!
We had a breif discussion about pakaging it for Debian, which has
infrastructure for automated reproducibility testing, but the main
blocker seemed to be issues around the USB ID enbedded in the binary,
and maybe the unique serial as well:
https://lists.alioth.debian.org/pipermail/gnuk-users/2017q4/000603.html
The best way forward seemed to be to figure out a way to build a Gnuk
binary with an empty placeholder for USB ID/serial and a way to inject
them when installing to the actual device.
I'm guessing this is just coming down to someone writing the patches.
> More and more security related projects are going this route.
> This could be done is a docker container.
There is something to be said for getting reproducibility though a
sanitized build environment, as it works around some of the more
complicated challenges of reproducibility.
It would be a stronger security property to not require a sanitized
build environment, but merely document the toolchain and other factors
used to perform the build:
https://reproducible-builds.org/docs/perimeter/
In recent versions of debian, tooling generates a .buildinfo file which
can be used to describe the build environment:
https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20171124/9669d11c/attachment.sig>
More information about the rb-general
mailing list