On Tue, Feb 04, 2025 at 01:33:48AM -0600, Steve Lewis via cctalk wrote:
> Beyond just the compiler, there are also optimization and other settings
> (like the multitude levels of C-compliance or how strict to be about
> warnings, or conditional-builds to tailor it specific situations).
>
> Regardless, proper binary deliveries come with CRC checksums. This isn't
Nitpick: Not CRC checksums, as those are only good to detect gross data
corruption (e.g. an entire page/sector being zeroed). The standard these
days is proper cryptographic hashes that are still known to be strong
(e.g. not MD5, as it is known to be weak and collisions can be generated,
but SHA256/SHA512) and the hashes cryptographically signed.
> just to verify that you downloaded the file correctly, but to also help
> verify that you've used the exact same "Bill of software material" (SBOM),
> versions of dependencies, and other settings to produce that same binary.
Reproducible builds is an issue by itself and requires careful attention
to the build systems. But it should be a base standard.
Kind regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
