[tor-talk] Deterministic builds?
Greg Troxel
gdt at work.lexort.com
Thu Jan 5 13:30:30 UTC 2012
We believe that Windows and Mac OS X both produce build results that are
extremely difficult to verify. On Gnu/Linux sometimes the build results
are difficult to verify.
I am not crystal clear on all the details, but NetBSD has recently
undergone a perhaps-similar effort, with the goal being that one should
be able to start with identical sources and get bit-identical binary
releases.
Key elements include:
Using a toolchain that is part of the source tree.
Modifying the toolchain to not embed timestamps.
Cleaning up everyplace else that allowed variation.
But, that was a regression-test mentality effort, and I think you are
talking about a security effort, to detect subversion of platforms used
for the build. Still, if everyone can checkout a given tag, and produce
the same bits, and compare hashes, a lot of benefit is gained - is that
your goal?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120105/0a0ad781/attachment.pgp>
More information about the tor-talk
mailing list