On Dec 22, 2015, at 12:16 PM, Pádraig Brady <p...@draigbrady.com> wrote: > > On 22/12/15 17:00, Mike Gerwitz wrote: >> There is ongoing discussion about reproducible builds within GNU. > > I’m wondering about how useful deterministic tarballs are?
This page gives the “whys” of reproducible builds: https://wiki.debian.org/ReproducibleBuilds/About > Perhaps the main focus for tarballs should just to > ensure they're properly signed. Signing only proves that the package provider possesses the private key, which implies — but does not prove — that the signer is the party you expect the packages to come from. The security risk is that if someone can steal the private key, they can sign arbitrary packages. But, if you can independently create the same pre-signature tarball from the source package, you can prove conclusively that the source code is the same used for creating that binary package. This does not prove that the source code hasn’t also been compromised, but once you’ve reduced the verification problem to the source level, you can use traditional high-level means of verification: diffing against previous source releases, diffing against the project’s public source repo, auditing the source, etc.
