On 01/05/2012 02:30 PM, Greg Troxel wrote: > > We believe that Windows and Mac OS X both produce build results that are > extremely difficult to verify. On Gnu/Linux sometimes the build results > are difficult to verify. > > I am not crystal clear on all the details, but NetBSD has recently > undergone a perhaps-similar effort, with the goal being that one should > be able to start with identical sources and get bit-identical binary > releases.
Sounds good. > > Key elements include: > > Using a toolchain that is part of the source tree. > > Modifying the toolchain to not embed timestamps. > > Cleaning up everyplace else that allowed variation. > > But, that was a regression-test mentality effort, and I think you are > talking about a security effort, to detect subversion of platforms used > for the build. Still, if everyone can checkout a given tag, and produce > the same bits, and compare hashes, a lot of benefit is gained - is that > your goal? > Yes. That is exactly the goal. All the best, Jacob _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
