←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 1 comments | 26 Mar 25 17:22 UTC | HN request time: 0s | source
Show context
abdullahkhalids ◴[26 Mar 25 18:22 UTC] No.43485194[source]
Is the build infrastructure for Debian also reproducible? It seems like we if someone wants to inject malware in Debian package binaries (without injecting them into the source), they have to target the build infrastructure (compilers, linkers and whatever wrapper code is written around them).

Also, is someone else also compiling these images, so we have evidence that the Debian compiling servers were not compromised?

replies(5): >>43485310 #>>43485572 #>>43485619 #>>43486186 #>>43492801 #
1. jzb ◴[26 Mar 25 18:32 UTC] No.43485310[source]
There's a page that includes reproducibility results for Debian here: https://tests.reproducible-builds.org/debian/bookworm/index_...

I think there's also a similar thing for the images, but I might be wrong and I definitely don't have the link handy at the moment.

There's lots of documentation about all of the things on Debian's site at the links in the brief. And LWN also had a story last year about Holger Levsen's talk on the topic from DebConf: https://lwn.net/Articles/985739/