unreproducible zlib/deflate compression in ZIP/APK files
Bernhard M. Wiedemann
bernhardout at lsmod.de
Sat Sep 7 15:46:11 UTC 2024
If I read it correctly, there are different zlib implementations that
will turn identical uncompressed data into different compressed versions.
As long as the uncompressed data matches, that is fine security-wise.
This relates to #12 of our
https://reproducible-builds.org/docs/commandments/
> 12. If Thou publishst binaries, Thou shall take note of your build inputs
If you knew exactly, which zlib version was used, it should be possible
to reproduce compressed results.
Ciao
Bernhard M.
More information about the rb-general
mailing list