[rb-general] [jvm] How to share rebuilder attestations

Holger Levsen holger at layer-acht.org
Mon Jan 7 14:48:32 CET 2019

On Mon, Jan 07, 2019 at 01:39:35PM +0000, Daniel Shahaf wrote:
> Bit-for-bit reproducibility should be our goal, but it's not a _sine qua
> non_.  In a pinch, out of pragmatism, one can get by with less.  For
> example, if there were some binary package whose rebuilds are identical
> up to the copyright year in the commented header of some script file,
> that'd be workable.  The process of comparing two binaries to confirm
> they match would be more expensive, and the probability of false
> positive comparisons (binaries that compare equal but aren't) higher,
> but that doesn't make that package _insecure_; it merely makes it _less
> secure_.  (Security isn't a binary dimension.)

this makes the verification process more insecure though, if the
verification tools needs to parse the data...

iirc signal had such a verification tool, which would exclude some areas
when comparing two signal builds. and within a day a bug was found in
that tool...


       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190107/4aec90b7/attachment.sig>

More information about the rb-general mailing list