oss-security - Re: Reproducible Builds for Fedora

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <5244E4BC.9040007@google.com>
Date: Thu, 26 Sep 2013 18:51:56 -0700
From: Paul Pluzhnikov <ppluzhnikov@...gle.com>
To: oss-security@...ts.openwall.com
CC: Alexander Cherepanov <cherepan@...me.ru>
Subject: Re: Reproducible Builds for Fedora

On 9/26/13 6:36 PM, Alexander Cherepanov wrote:

> The choice is simple -- produce byte-for-byte identical builds. Both Tor
> and Debian aim at it.

FWIW, when we build compilers (and then all other binaries) at Google, 
we don't just aim for, but actually achieve bit-identical rebuilds.

New GCC releases often break this, but a few patches later the 
capability is restored. Latest example: 
http://comments.gmane.org/gmane.comp.gcc.devel/127875

The ability to do bit-identical rebuild is critical to our build system 
(http://google-engtools.blogspot.com/2011/09/build-in-cloud-distributing-build-steps.html) 
and in particular the high cache hit rates it achieves.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.