On Wed, Sep 29, 2021 at 12:42:56PM -0600, Sam Hartman wrote: > There's a chain of signatures for the installed files, and so you could > presumably validate that the installed files have not been modified. > That is much more challenging for files generated from the postinst.
I wondered about reproducibility of Python bytecode, and from a quick web-search before the children's bedtime I ran across a couple of links that look interesting to pursue: https://bugs.python.org/issue29708 https://vulns.xyz/2021/08/reproducible-python-bytecode/ I couldn't find anything under Debian's reproducible builds banner (it is after all slightly outside the usual area of building reproducible .debs), but maybe I missed something. -- Colin Watson (he/him) [cjwat...@debian.org]
