On Mon, Aug 24, 2015 at 11:41:21PM +0200, Vincent Bernat wrote:
> ❦ 24 août 2015 22:30 +0100, Colin Tuckley <col...@debian.org> :
>
> >> We have pushed other archive-wide goals that were not shared by
> >> all upstreams. For example, we have enabled hardening build flags
> >> on almost all packages and for packages that don't obey to the
> >> appropriate flags, bugs with severity "important" were filed.
> >> That's not that different of a reproducible build.
> >
> > Sorry, but it's a *completely* different situation. The hardening
> > initiative made applications more secure and tamper resistant. The r-b
> > changes do nothing useful post-build.
>
> Letting people independently check that the builds are not tampered is
> also a security application of reproducible builds. This is notably
> important for the binary packages that have been built on a maintainer
> machine instead of a builder.
The latter point is moot - if we still allow binary packages that have
been built on a maintainer machine [1] into the archive by the time
everything installed on your computer will be reproducible, this would
be a huge fail itself.
AFAIK the only place where we currently still need binary packages that
have been built on a maintainer machine is for NEW, and after someone
has implemented a solution for that there is no blocker left for
allowing only source-only uploads from maintainers.
cu
Adrian
[1] these also have other frequent issues,
most notably unclean built environments
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
