←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 1 comments | 26 Mar 25 17:22 UTC | HN request time: 0.619s | source
Show context
geocrasher ◴[26 Mar 25 17:58 UTC] No.43484909[source]
What is the significance of a reproducible build, and how is it different than a normal distribution?
replies(6): >>43484958 #>>43485126 #>>43487595 #>>43488312 #>>43489545 #>>43492115 #
csense ◴[26 Mar 25 21:33 UTC] No.43487595[source]
Reproducible: If Alice and Bob both download and compile the same source code, Alice's binary is byte-for-byte identical to Bob's binary.

Normal: Before Debian's initiative to handle this problem, most people didn't think hard about all the ways system-specific differences might wind up in binaries. For example: __DATE__ and __TIME__ macros in C, parallel builds finishing in different order, anything that produces a tar file (or zip etc.) usually by default asks the OS for the input files' modification time and puts that into the bytes of the tar file, filesystems may list files in a directory in different order and this may also get preserved in tar/zip files or other places...

Why it's important: With reproducible builds, anyone can check the official binaries of Debian match the source code. This means going forward, any bad actors who want to sneak backdoors or other malware into Debian will have to find a way to put it in the source code, where it will be easier for people to spot.

replies(4): >>43488311 #>>43489316 #>>43494151 #>>43497265 #
walrus01 ◴[26 Mar 25 22:42 UTC] No.43488311[source]
as the 'xz' backdoor was in the source code, and remained there for a while before anyone spotted it, it doesn't necessarily guarantee that backdoors/malware won't make their way into the source of a very-widely-redistributed project.
replies(3): >>43488420 #>>43488768 #>>43490852 #
1. badsectoracula ◴[26 Mar 25 23:35 UTC] No.43488768[source]
Source code availability doesn't mean that backdoors wont be put in place, it just makes it relatively easier to spot and remove them. Reproducible builds mean that the people who look for backdoors, malware, etc can focus on the source code instead of the binaries.