Hi,
On 02/07/2019 16.13, Joshua Watt wrote:
For detecting malicous binaries not built from the claimed sources 1. is
sufficient. For distributions like Debian that build natively this is
even the only option available since the host compiler is used.
Doing 2. would of course be more desirable, but it can also be done in
a second step after all issues related to building on exactly the same
host have been sorted out.
I think there are also other use cases for #2 besides detecting
malicious binaries/source code, such as hash equivalence, or even being
able use sstate when making a reproducible build. You are correct that
this can be done in a second step, but I think that everyone needs to be
aware of the limitations that will present when #2 is not present (the
main one being that you probably can't make a reproducible build if you
use sstate).
Our use case for reproducible builds is to limit delta update sizes.
I.e. updating one package shouldn;t change the binary output from other
independent packages.
// Martin
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
