[Rpm-ecosystem] Reproducible Builds
lkardos at redhat.com
Wed Mar 2 12:09:55 UTC 2016
----- Original Message -----
> From: "Michael Schroeder" <mls at suse.de>
> To: rpm-ecosystem at lists.rpm.org
> Sent: Wednesday, March 2, 2016 11:43:00 AM
> Subject: Re: [Rpm-ecosystem] Reproducible Builds
> On Tue, Mar 01, 2016 at 04:59:02PM +0100, Florian Festi wrote:
> > I am pretty sure there are still pieces missing.
> > So, my questions are: Who is actually working on reproducible builds?
> > What else is missing? Are there any special needs for some build systems?
> Dunno if I want to have the buildhost and the buildtime patched, this
> is important information to know. The question is what's the goal
> of reproducible builds, do you just want the same payload or should
> the header also be the same? How about the signature, it contains
> the current time as well.
I think the goal of reproducible builds is that if you have a binary rpm you
can verify that it was created from some srpm by rebuilding the srpm and
comparing the rebuilt rpm with the rpm you want to verify.
But I can be completely wrong. But If I am right then the bigger problem
with signatures is that the user who wants to verify binary rpm don't have the
private key with which the rpm was signed than a timestamp in a signature.
> Michael Schroeder mls at suse.de
> SUSE LINUX GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
> Rpm-ecosystem mailing list
> Rpm-ecosystem at lists.rpm.org
More information about the Rpm-ecosystem