On Vi, 23 iul 21, 13:15:46, Greg Wooledge wrote: > On Fri, Jul 23, 2021 at 08:09:07PM +0300, Andrei POPESCU wrote: > > Unless I'm missing something (which is very much possible, I'm way out > > of my depth here) rebuilding to verify it matches the official binary > > should still be possible. > > > > Care to elaborate on why you think this would be a problem? > > I suppose that if there is a way to chop up the binary blob into > "program" and "signature", then you could compare the two program > segments to each other, and ignore the signature segments. It would > depend on how this binary-blob-with-signature format is defined. > > A simple cmp(1) of the two would clearly not work, as the signatures > wouldn't match.
Simply concatenating the signature with the binary is very simple, there's not much technical reason to do anything fancier than that. > But... even if the signature segments can be snipped off, it's possible > that there would be differences in the program segments, depending on > the compiler used, particularly optimizations. There could also be > timestamps, or pieces of the build environment such as directory paths, > embedded in the binary blob. > > I'd have to defer to the "reproducible builds" people on that one. They > would have more experience with those kinds of issues. Suport for reproducible builds has become the norm in the FLOSS world. The potential issues and fixes / workarounds are pretty well understood by now. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature
