Hacker News new | ask | show | jobs
by farfatched 41 days ago
Yes, making sure build timestamps are reproducible isn't a security win.

What is a win is that two independent parties can run the same build, and get the same binaries.

This is important because it removes trust from builders: anyone can verify their output.

It just so happens that unimportant things like build versions impede that.
1 comments
charcircuit 41 days ago
Anyone can verify the actual code in the binary matches even if some bytes within the binary file itself are different. The verification routine doesn't have to be a basic bit for bit equality test.
link
farfatched 41 days ago
For sure.

This has been the status quo in Debian for a while now. You can build, and use diffoscope to audit the differences.

It's a stronger security property to have bit-for-bit reproducibilty, and it looks like Debian are ready to commit to it.

link
charcircuit 40 days ago
You are just restating the point of the thread and not addressing the low return on investment doing this is.
link
farfatched 40 days ago
Fair point.

I had figured the cost would decrease in time as deterministic builds became the norm (i.e. build tools stop including build timestamps).

I agree that it might not have positive POI. Bit tricky for me to judge.

link