On Sun, Dec 28, 2014 at 3:24 AM, Andrew Clausen <andrew.p.clau...@gmail.com> wrote:
> Hi all, > > Deterministic software builds are helpful for spotting and preventing > malicious modifications such as inserting back-doors. > Agree. > At the moment, grub builds are mostly deterministic. However, > grub-mkimage does not deterministically build EFI binaries. This is > because the PE/COFF headers include timestamps. This is a widespread > problem in the Windows world -- see for example a discussion of > deterministically building TrueCrypt. [1] > > One solution would be to: > * build deterministically by default by using a constant timestamp, and > I think doing this by default would be a poor choice, as most of the time during development it is very useful to easily identify which version / build / experiment / etc is in use. * add a --with-timestamps option (disabled by default), which would > enable honest timestamps. > > What do you think? Are you accepting patches? > > The availability of a flag to explicitly set a specific timestamp for the purpose of reproducing a build, seems sane to me. I don't think I would enable it by default. /$0.02 -Jon > Cheers, > Andrew > > [1] > https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/ > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
