Web lists-archives.com

Re: jn/reproducible-build, was Re: What's cooking in git.git (Nov 2017, #08; Tue, 28)




> On 01 Dec 2017, at 15:32, Johannes Schindelin <johannes.schindelin@xxxxxx> wrote:
> 
> Hi Junio & Jonathan (Nieder, there is another active Jonathan again),
> 
> On Wed, 29 Nov 2017, Junio C Hamano wrote:
> 
>> * jn/reproducible-build (2017-11-22) 3 commits
>>  (merged to 'next' on 2017-11-27 at 6ae6946f8c)
>> + Merge branch 'jn/reproducible-build' of ../git-gui into jn/reproducible-build
>> + git-gui: sort entries in optimized tclIndex
>> + generate-cmdlist: avoid non-deterministic output
>> 
>> The build procedure has been taught to avoid some unnecessary
>> instability in the build products.
> 
> I like this, from a purely security-informed point of view. Maybe there
> would be a way to integrate this with the Continuous Testing we do? Like,
> letting Travis verify that the binaries built from a certain Debian
> package are really identical to the binaries built from the corresponding
> commit? But I guess Travis is the wrong vehicle for this, as Travis needs
> a *commit* to be pushed, not a new package to be made available via apt...

That's a neat idea. We could make TravisCI publish the hashes of our
release builds and then people could check them against the builds that
they have installed. Could that add value as a start?

- Lars