[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] Deterministic builds for Qubes OS -- the shortcut?
From:       Holger Levsen <holger () layer-acht ! org>
Date:       2015-12-23 13:59:18
Message-ID: 201512231459.20370.holger () layer-acht ! org
[Download RAW message or body]


Hi,

On Dienstag, 22. Dezember 2015, HW42 wrote:
> But since we focus (for now) only on direct Qubes components this doesn't
> need to bother us. I made some tests and the Qubes specific debian
> packages are already reproducible when using the patched dpkg+debhelper.
> On similar patches for Fedora/rpm are already be worked on.

can you give me that list of packages please so I can add package sets like we 
already have for tails or grml:

https://reproducible.debian.net/unstable/amd64/pkg_set_tails.html
https://reproducible.debian.net/unstable/amd64/pkg_set_tails_build-depends.html
https://reproducible.debian.net/unstable/amd64/pkg_set_grml.html
https://reproducible.debian.net/unstable/amd64/pkg_set_grml_build-depends.html

> A little bit more work will be needed to get the installer ISO and the
> template images reproducible. But here we can use a pragmatic approach
> (i.e. instead of waiting to get all things fixed upstream use
> postprocessing and local patches) and also get this with manageable
> effort/time.

I agree.
 
> Some notes on the proposed approach:
> 
> Partially this is already done. Gitian [4] uses a predefined VM image to
> build the software in it. For example this is used for the Tor Browser

Yup, I was going to suggest to look at gitian too.

Another thing I forgot to mention in my previous mail: there has been some
work done on reproducible installations already, see here:
https://wiki.debian.org/ReproducibleInstalls


cheers,
	Holger

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]