Announcement

Collapse
No announcement yet.

Debian's Archive Is Up To 94% For Reproducible Builds

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Debian's Archive Is Up To 94% For Reproducible Builds

    Phoronix: Debian's Archive Is Up To 94% For Reproducible Builds

    Mattia Rizzolo has written a status update concerning Debian's Reproducible Builds project for ensuring the package archive can be rebuilt bit-for-bit in a verified and reproducible path from source code to binary...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    This is really cool from a security standpoint.

    It's also surprising that it's taken so long to be considered important. I'm not blaming the Debian developers or the free software community. But in hindsight, we should all have realized how important this was in the early 2000s.

    Comment


    • #3
      Originally posted by Michael_S View Post
      This is really cool from a security standpoint.

      It's also surprising that it's taken so long to be considered important. I'm not blaming the Debian developers or the free software community. But in hindsight, we should all have realized how important this was in the early 2000s.
      Well, you just need to sit in the pub and ask yourself "why this or that happen"

      Comment


      • #4
        Reprodubile-Builds.org?

        Comment


        • #5
          This is a great thing for security and freedom.
          Congratulations and thanks to all the people involved!

          Comment


          • #6
            Originally posted by Michael_S View Post
            It's also surprising that it's taken so long to be considered important. I'm not blaming the Debian developers or the free software community. But in hindsight, we should all have realized how important this was in the early 2000s.
            Well, realistically, it's still not important to most people. I mean, it's certainly a good thing that if you want to, you can download the source code yourself and verify that the binaries from the distro do indeed match binaries created yourself from the sources.

            But how many users do you think are likely to take advantage of it? Seems to me that anyone with the inclination and skill to download and compile source and use that to verify their binaries is the kind of person most likely to already be running something like Gentoo or LFS...

            Comment


            • #7
              Originally posted by tildearrow View Post
              Reprodubile-Builds.org?
              Must be a typo.

              Comment


              • #8
                Originally posted by Michael_S View Post
                This is really cool from a security standpoint.

                It's also surprising that it's taken so long to be considered important. I'm not blaming the Debian developers or the free software community. But in hindsight, we should all have realized how important this was in the early 2000s.
                Like many others, I place trust in my distro to get things right. It's also the easiest place to place trust. If this helps them keep my trust levels high - awesome!

                Comment


                • #9
                  Originally posted by Delgarde View Post
                  Well, realistically, it's still not important to most people. I mean, it's certainly a good thing that if you want to, you can download the source code yourself and verify that the binaries from the distro do indeed match binaries created yourself from the sources.
                  I thought reproducible builds also had other reasons to exist. Mainly helping in the endless bug hunt. https://www.martinfowler.com/bliki/R...ibleBuild.html

                  Comment


                  • #10
                    Originally posted by Delgarde View Post

                    Well, realistically, it's still not important to most people. I mean, it's certainly a good thing that if you want to, you can download the source code yourself and verify that the binaries from the distro do indeed match binaries created yourself from the sources.

                    But how many users do you think are likely to take advantage of it? Seems to me that anyone with the inclination and skill to download and compile source and use that to verify their binaries is the kind of person most likely to already be running something like Gentoo or LFS...
                    Actually, the same could be said for a lot of HTTPS-based sites. Sure it's not important to a lot of people, but getting the security implemented means that we provide a better platform for the future, which, regardless of personal importance to most people, is something we should strive for.

                    Comment

                    Working...
                    X