[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Deterministic builds?

  We believe that Windows and Mac OS X both produce build results that are
  extremely difficult to verify. On Gnu/Linux sometimes the build results
  are difficult to verify.

I am not crystal clear on all the details, but NetBSD has recently
undergone a perhaps-similar effort, with the goal being that one should
be able to start with identical sources and get bit-identical binary

Key elements include:

  Using a toolchain that is part of the source tree.

  Modifying the toolchain to not embed timestamps.

  Cleaning up everyplace else that allowed variation.

But, that was a regression-test mentality effort, and I think you are
talking about a security effort, to detect subversion of platforms used
for the build.  Still, if everyone can checkout a given tag, and produce
the same bits, and compare hashes, a lot of benefit is gained - is that
your goal?

Attachment: pgpbeJyQbk1np.pgp
Description: PGP signature

tor-talk mailing list