At 00:41 08/08/2002 -0700, Terry Lambert wrote: >Colin Percival wrote: > > If two people `make release` on different machines, how much difference > > will there be between the results? Obviously the kernel will be different > > because it contains the user and host names from its build; should > > everything else be the same? > >Assuming identical source trees, and that the build takes place >on systems installed with the same software, the only things that >should be different are user, host, and time stamps. The kernel >is one place that's stamped; the boot code is another.
And, unfortunately, there's a hell of a lot more. I've grabbed the 4.6-RELEASE source tree and ran a make world - chroot - make world twice, and here's what I found: /kernel, /boot/loader, and /boot/pxeboot all contain user, host, time, and date stamps, as expected. All .a files (126 in /usr/lib, one in /usr/libdata/perl/5.00503/mach/auto/DynaLoader) contain some sort of indices of .o files, including seconds-since-epoch stamps User, host, time, and date stamps are found in /etc/mail/freebsd.cf /usr/sbin/named /usr/libexec/named-xfer Time and date stamps are found in: /usr/bin/suidperl /usr/bin/ntpq /usr/sbin/ntp(d|date|dc|timeset|trace) /usr/sbin/isdn(d|debug|monitor|phone|telctl) /usr/libdata/perl/5.00503/mach/perllocal.pod Date stamps are found in: /usr/sbin/ppp /var/db/port.mkversion /usr/share/doc/usd/(07.mail|13.viref|18.msdiffs|19.memacros|20.meref)/paper.ascii.gz (once you ungzip them) /usr/share/perl/man/man3/(Config|DynaLoader).3.gz (once you ungzip them) Files which are always the same size, but seem to have completely different contents: /usr/share/games/fortune/*.dat /var/games/phantasia/void This raises two questions: 1. Is there any way I can set up my system to consistently build the same world? The user and host are of course easy to fix; I'd consider running a daemon to reset my clock every second in order to keep the time stamps consistent, except that I don't think it would work, and I worry that it might break `make` anyway. 2. Is this really a desireable state of affairs at all? As it is, it is practically impossible for someone to `make release` on their own and compare their version to the official version to ensure that the build was correct. Reproducibility and verifiability are rather important matters when it comes to security. Colin Percival To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
