On 2024-03-30, Salvatore Bonaccorso wrote: > On Fri, Mar 29, 2024 at 07:38:35PM -0700, Vagrant Cascadian wrote: >> Philipp Kern asked about trying to do reproducible builds checks for >> recent security updates to try to gain confidence about Debian's buildd >> infrastructure, given that they run builds in sid chroots which may have >> used or built or run a vulnerable xz-utils... ... > Thanks a lot for doing this verification work!
It is such an obvious application for Reproducible Builds that many people have worked on for many years. So... I daresay, my pleasure and honor. :) > There would be an upcoming (or actually postponed) util-linux update > as well. Could you as extra paranoia please verify these here as well > (I assume its enough for you that the source package is signed, I > stripped the signature from the changes): > > https://people.debian.org/~carnil/tmp/util-linux/ I don't see any source packages there, just .deb .changes and signed .buildinfo files! The signed .buildinfo files are great, but would definitely need the source code ... looks like the util-linux changes are in a git branch, but a signed .dsc would be nice just to be sure I am testing the same thing. That said, testing from git and getting bit-for-bit identical results ... would be confidence inspiring! Hmmm. Might just go for it, and if we have issues, maybe try to dig up the .dsc? :) live well, vagrant
signature.asc
Description: PGP signature
