[OE-core] The state of reproducible Builds
martin at geanix.com
Tue Jul 2 14:32:31 UTC 2019
On 02/07/2019 16.13, Joshua Watt wrote:
>> For detecting malicous binaries not built from the claimed sources 1. is
>> sufficient. For distributions like Debian that build natively this is
>> even the only option available since the host compiler is used.
>> Doing 2. would of course be more desirable, but it can also be done in
>> a second step after all issues related to building on exactly the same
>> host have been sorted out.
> I think there are also other use cases for #2 besides detecting
> malicious binaries/source code, such as hash equivalence, or even being
> able use sstate when making a reproducible build. You are correct that
> this can be done in a second step, but I think that everyone needs to be
> aware of the limitations that will present when #2 is not present (the
> main one being that you probably can't make a reproducible build if you
> use sstate).
Our use case for reproducible builds is to limit delta update sizes.
I.e. updating one package shouldn;t change the binary output from other
More information about the Openembedded-core