Reproducible Builds for recent Debian security updates

Vagrant Cascadian vagrant at reproducible-builds.org
Sat Mar 30 22:05:03 UTC 2024


On 2024-03-30, Salvatore Bonaccorso wrote:
> On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
>> Philipp Kern asked about trying to do reproducible builds checks for
>> recent security updates to try to gain confidence about Debian's buildd
>> infrastructure, given that they run builds in sid chroots which may have
>> used or built or run a vulnerable xz-utils...
...
> Thanks a lot for doing this verification work!

It is such an obvious application for Reproducible Builds that many
people have worked on for many years. So... I daresay, my pleasure and
honor. :)


> There would be an upcoming (or actually postponed) util-linux update
> as well. Could you as extra paranoia please verify these here as well
> (I assume its enough for you that the source package is signed, I
> stripped the signature from the changes):
>
> https://people.debian.org/~carnil/tmp/util-linux/

I don't see any source packages there, just .deb .changes and signed
.buildinfo files! The signed .buildinfo files are great, but would
definitely need the source code ... looks like the util-linux changes
are in a git branch, but a signed .dsc would be nice just to be sure I
am testing the same thing. That said, testing from git and getting
bit-for-bit identical results ... would be confidence inspiring!
Hmmm. Might just go for it, and if we have issues, maybe try to dig up
the .dsc? :)

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240330/2593c818/attachment.sig>


More information about the rb-general mailing list