[Rpm-ecosystem] Reproducible Builds

Lubos Kardos lkardos at redhat.com
Wed Mar 2 12:09:55 UTC 2016

----- Original Message -----
> From: "Michael Schroeder" <mls at suse.de>
> To: rpm-ecosystem at lists.rpm.org
> Sent: Wednesday, March 2, 2016 11:43:00 AM
> Subject: Re: [Rpm-ecosystem] Reproducible Builds
> On Tue, Mar 01, 2016 at 04:59:02PM +0100, Florian Festi wrote:
> > I am pretty sure there are still pieces missing.
> > 
> > So, my questions are: Who is actually working on reproducible builds?
> > What else is missing? Are there any special needs for some build systems?
> Dunno if I want to have the buildhost and the buildtime patched, this
> is important information to know. The question is what's the goal
> of reproducible builds, do you just want the same payload or should
> the header also be the same? How about the signature, it contains
> the current time as well.
I think the goal of reproducible builds is that if you have a binary rpm you
can verify that it was created from some srpm by rebuilding the srpm and
comparing the rebuilt rpm with the rpm you want to verify.

But I can be completely wrong. But If I am right then the bigger problem
with signatures is that the user who wants to verify binary rpm don't have the
private key with which the rpm was signed than a timestamp in a signature.


> Cheers,
>   Michael.
> --
> Michael Schroeder                                   mls at suse.de
> SUSE LINUX GmbH,           GF Jeff Hawn, HRB 16746 AG Nuernberg
> main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
> _______________________________________________
> Rpm-ecosystem mailing list
> Rpm-ecosystem at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-ecosystem

More information about the Rpm-ecosystem mailing list