Upcoming changes to Debian Linux kernel packages
David A. Wheeler
dwheeler at dwheeler.com
Mon Sep 25 15:41:09 UTC 2023
> On Sep 25, 2023, at 6:52 AM, Holger Levsen <holger at layer-acht.org> wrote:
>
> FYI, "this will make the build unreproducible"... :/
>
> ----- Forwarded message from Bastian Blank <waldi at debian.org> -----
>
> Date: Sun, 24 Sep 2023 15:01:47 +0200
> From: Bastian Blank <waldi at debian.org>
> To: debian-kernel at lists.debian.org
> ...
> ## Kernel modules will be signed with an ephemeral key
>
> The modules will not longer be signed using the Secure Boot CA like the
> EFI kernel image itself. Instead a key will be created during the build
> and thrown away after.
>
> Yes, this will make the build unreproducible, but no better solution
> currently exists. There are some plans, but no-one is working on them.
> If a suitable replacement shows up, we can always switch to that
> solution.
Ugh. In the US, the usual retort is, "Other than that, Mrs. Lincoln, how did you enjoy the play?"
[Context: Abraham Lincoln was murdered at a play. This retort is sometimes used
when someone is trying to ignore an important issue.]
What exactly are these "plans"?
The obvious solution is to have the signatures *not* be included in the build
(or at least, not the part being verified for reproducibility). It's trivial to recompute
a hash of a binary object (you have to do that anyway to verify a digital signature),
and then use the digital signature *not* stored in what's being verified.
I think it's important that reproducibility-of-builds be part of every
Linux distro package's test suite. Then it's immediately clear that something went wrong.
--- David A. Wheeler
More information about the rb-general
mailing list