Re: [gnu-prog-discuss] Automake dist reproducibility

[Warren Young]

On Dec 22, 2015, at 12:16 PM, Pádraig Brady <address@hidden> wrote:
> 
> On 22/12/15 17:00, Mike Gerwitz wrote:
>> There is ongoing discussion about reproducible builds within GNU.
> 
> I’m wondering about how useful deterministic tarballs are?

This page gives the “whys” of reproducible builds:

  https://wiki.debian.org/ReproducibleBuilds/About

> Perhaps the main focus for tarballs should just to
> ensure they're properly signed.

Signing only proves that the package provider possesses the private key, which 
implies — but does not prove — that the signer is the party you expect the 
packages to come from.

The security risk is that if someone can steal the private key, they can sign 
arbitrary packages.

But, if you can independently create the same pre-signature tarball from the 
source package, you can prove conclusively that the source code is the same 
used for creating that binary package.

This does not prove that the source code hasn’t also been compromised, but once 
you’ve reduced the verification problem to the source level, you can use 
traditional high-level means of verification: diffing against previous source 
releases, diffing against the project’s public source repo, auditing the 
source, etc.