[Rpm-ecosystem] Reproducible Builds

Florian Festi ffesti at redhat.com
Tue Mar 1 21:58:21 UTC 2016

On 03/01/2016 08:48 PM, Dave Johansen wrote:
> Aside from revision control and the current Fedora system for doing
> builds, it would be nice if the .spec and/or source .rpm had verifiable
> hashes of what the original/intended content is. My understanding is
> that a nefarious agent could easily replace a patch or source tarball in
> a source .rpm and then there's no way to detect that that happened.

While this sounds like a good idea it is much less obvious how to do
that when it comes to an actual implementation. If you have an SRPM you
have all the sources with it. If an attacker alters the SRPM he or she
can just adjust the hashes. So there is no gain there.

For this feature to be useful you need to have a save location to put
the hashes to. This is in fact dist-git for Fedora. RPM as a tools or
package format cannot provide you with such a location. It can only
allow to carry the trust you may have in such place. RPM signatures are
doing just that (The issues of rpm signatures intentionally not
mentioned here).



Red Hat GmbH, http://www.de.redhat.com/ Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Charles Peters

More information about the Rpm-ecosystem mailing list