[tor-talk] Deterministic builds?
Jacob Appelbaum
jacob at appelbaum.net
Thu Jan 5 13:58:16 UTC 2012
On 01/05/2012 02:30 PM, Greg Troxel wrote:
>
> We believe that Windows and Mac OS X both produce build results that are
> extremely difficult to verify. On Gnu/Linux sometimes the build results
> are difficult to verify.
>
> I am not crystal clear on all the details, but NetBSD has recently
> undergone a perhaps-similar effort, with the goal being that one should
> be able to start with identical sources and get bit-identical binary
> releases.
Sounds good.
>
> Key elements include:
>
> Using a toolchain that is part of the source tree.
>
> Modifying the toolchain to not embed timestamps.
>
> Cleaning up everyplace else that allowed variation.
>
> But, that was a regression-test mentality effort, and I think you are
> talking about a security effort, to detect subversion of platforms used
> for the build. Still, if everyone can checkout a given tag, and produce
> the same bits, and compare hashes, a lot of benefit is gained - is that
> your goal?
>
Yes. That is exactly the goal.
All the best,
Jacob
More information about the tor-talk
mailing list