Reproducible Builds for recent Debian security updates

[Vagrant Cascadian]

On 2024-03-30, Vagrant Cascadian wrote:
> On 2024-03-30, Salvatore Bonaccorso wrote:
>> On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
>>> Philipp Kern asked about trying to do reproducible builds checks for
>>> recent security updates to try to gain confidence about Debian's buildd
>>> infrastructure, given that they run builds in sid chroots which may have
>>> used or built or run a vulnerable xz-utils...
> ...
>> There would be an upcoming (or actually postponed) util-linux update
>> as well. Could you as extra paranoia please verify these here as well
>> (I assume its enough for you that the source package is signed, I
>> stripped the signature from the changes):
>>
>> https://people.debian.org/~carnil/tmp/util-linux/
>
> I don't see any source packages there, just .deb .changes and signed
> .buildinfo files! The signed .buildinfo files are great, but would
> definitely need the source code ... looks like the util-linux changes
> are in a git branch, but a signed .dsc would be nice just to be sure I
> am testing the same thing. That said, testing from git and getting
> bit-for-bit identical results ... would be confidence inspiring!
> Hmmm. Might just go for it, and if we have issues, maybe try to dig up
> the .dsc? :)

Hah. Almost in the time it took me to wonder about git vs. .dsc builds,
even with some minor differences in the build-depends, managed a
bit-for-bit identical build of util-linux:amd64 and util-linux:all!

Tarball of build logs and .buildinfo files:

  https://people.debian.org/~vagrant/util-linux-2.38.1-5+deb12u1.verification.tar.zst

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240330/8eccc286/attachment.sig>