Reproducible Builds for recent Debian security updates
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 31 11:40:13 UTC 2024
Hi,
On Sat, Mar 30, 2024 at 03:30:57PM -0700, Vagrant Cascadian wrote:
> On 2024-03-30, Vagrant Cascadian wrote:
> > On 2024-03-30, Salvatore Bonaccorso wrote:
> >> On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote:
> >>> Philipp Kern asked about trying to do reproducible builds checks for
> >>> recent security updates to try to gain confidence about Debian's buildd
> >>> infrastructure, given that they run builds in sid chroots which may have
> >>> used or built or run a vulnerable xz-utils...
> > ...
> >> There would be an upcoming (or actually postponed) util-linux update
> >> as well. Could you as extra paranoia please verify these here as well
> >> (I assume its enough for you that the source package is signed, I
> >> stripped the signature from the changes):
> >>
> >> https://people.debian.org/~carnil/tmp/util-linux/
> >
> > I don't see any source packages there, just .deb .changes and signed
> > .buildinfo files! The signed .buildinfo files are great, but would
> > definitely need the source code ... looks like the util-linux changes
> > are in a git branch, but a signed .dsc would be nice just to be sure I
> > am testing the same thing. That said, testing from git and getting
> > bit-for-bit identical results ... would be confidence inspiring!
> > Hmmm. Might just go for it, and if we have issues, maybe try to dig up
> > the .dsc? :)
>
> Hah. Almost in the time it took me to wonder about git vs. .dsc builds,
> even with some minor differences in the build-depends, managed a
> bit-for-bit identical build of util-linux:amd64 and util-linux:all!
>
> Tarball of build logs and .buildinfo files:
>
> https://people.debian.org/~vagrant/util-linux-2.38.1-5+deb12u1.verification.tar.zst
Thanks a lot!
Regards,
Salvatore
More information about the rb-general
mailing list