We believe that Windows and Mac OS X both produce build results that are extremely difficult to verify. On Gnu/Linux sometimes the build results are difficult to verify. I am not crystal clear on all the details, but NetBSD has recently undergone a perhaps-similar effort, with the goal being that one should be able to start with identical sources and get bit-identical binary releases. Key elements include: Using a toolchain that is part of the source tree. Modifying the toolchain to not embed timestamps. Cleaning up everyplace else that allowed variation. But, that was a regression-test mentality effort, and I think you are talking about a security effort, to detect subversion of platforms used for the build. Still, if everyone can checkout a given tag, and produce the same bits, and compare hashes, a lot of benefit is gained - is that your goal?
Attachment:
pgpbeJyQbk1np.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk