Neil Williams <[EMAIL PROTECTED]>: > Martin Uecker <[EMAIL PROTECTED]> wrote:
[...] > > > > I think it would be really cool if the Debian policy required > > that packages could be rebuild bit-identical from source. > > At the moment, it is impossible to independly verify the > > integricity of binary packages. > > This has been covered before - certain upstream macros are among > many factors that ensure that this is unlikely. I, for one, use such > macros upstream to indicate the build time of the actual executable > installed so this will change the binary every time it is built. This could be fixed. > You have md5sums and GnuPG signatures on the Release files - I see > no benefit from bit-matching. The build host could be compromised. Not that unlikely. Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
