[rb-general] [jvm] How to share rebuilder attestations
Holger Levsen
holger at layer-acht.org
Mon Jan 7 14:48:32 CET 2019
On Mon, Jan 07, 2019 at 01:39:35PM +0000, Daniel Shahaf wrote:
> Bit-for-bit reproducibility should be our goal, but it's not a _sine qua
> non_. In a pinch, out of pragmatism, one can get by with less. For
> example, if there were some binary package whose rebuilds are identical
> up to the copyright year in the commented header of some script file,
> that'd be workable. The process of comparing two binaries to confirm
> they match would be more expensive, and the probability of false
> positive comparisons (binaries that compare equal but aren't) higher,
> but that doesn't make that package _insecure_; it merely makes it _less
> secure_. (Security isn't a binary dimension.)
this makes the verification process more insecure though, if the
verification tools needs to parse the data...
iirc signal had such a verification tool, which would exclude some areas
when comparing two signal builds. and within a day a bug was found in
that tool...
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190107/4aec90b7/attachment.sig>
More information about the rb-general
mailing list