[Rpm-ecosystem] Reproducible Builds

Dave Johansen davejohansen at gmail.com
Fri Mar 4 15:06:35 UTC 2016

On Tue, Mar 1, 2016 at 2:58 PM, Florian Festi <ffesti at redhat.com> wrote:

> On 03/01/2016 08:48 PM, Dave Johansen wrote:
> > Aside from revision control and the current Fedora system for doing
> > builds, it would be nice if the .spec and/or source .rpm had verifiable
> > hashes of what the original/intended content is. My understanding is
> > that a nefarious agent could easily replace a patch or source tarball in
> > a source .rpm and then there's no way to detect that that happened.
> While this sounds like a good idea it is much less obvious how to do
> that when it comes to an actual implementation. If you have an SRPM you
> have all the sources with it. If an attacker alters the SRPM he or she
> can just adjust the hashes. So there is no gain there.
> For this feature to be useful you need to have a save location to put
> the hashes to. This is in fact dist-git for Fedora. RPM as a tools or
> package format cannot provide you with such a location. It can only
> allow to carry the trust you may have in such place. RPM signatures are
> doing just that (The issues of rpm signatures intentionally not
> mentioned here).

The root of this issue is trust and the question is what parts do you
trust. Yes, if you can trust the entire build environment that it didn't
inject/modify anything from the SRPM, then this sort of verification is not
necessary. But if we really want to show that the SRPM is really what was
used to generate the binary, then this sort of check can help do that.

Obviously, what I'm proposing would be very complex and difficult for a
nefarious agent to pull off, but it's also not without precedent (
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-ecosystem/attachments/20160304/e17082ac/attachment.html>

More information about the Rpm-ecosystem mailing list