Produce identical packages for checksum comparison?

b. f. bf1783 at googlemail.com
Sun Nov 15 19:41:21 UTC 2009


On 11/15/09, Chris <christopher-ml at telting.org> wrote:
> b. f. wrote:
>> Chris wrote:

...

>> Even if you edited your
>> filesystem or archives to change the timestamps of package files, the
>>
> I think that could be accomplished though the port makefiles.

I think that the exact reproduction of whole archives will be
problematic, unless you have a means of changing the ctime of the
binaries that have been built to a predetermined value.

>> toolchain used to create the binary files in packages often injects
>> random seeds, timestamps, file paths, uid/gid information, etc. that
>>
> I can understand file paths with debug info.  Timestamps?  Ok sure for a
> timestamp file being generated during a make that auto increments version
> numbers.  What would change about uid/gid?  I can't imagine why that
> might be in the binaries.

ar(1) and some of the other utilities inject this information into
certain binary files.  Try running 'objdump -a'  on, for example,
some static archive like /usr/lib/libc.a.  Of course this information
can be manipulated, but you have to do it.  See the patches in the
link I cited earlier for other examples.

...

> Why would the build tools be injecting random numbers into binaries?

Usually to provide some degree of uniqueness.  I'm not saying that it
is always done, just that it _may_ be done.  See, for example, the gcc
sources or the -frandom-seed option description in gcc(1).  And it may
not be just the compiler toolchain -- a port may do it.

Occasionally, there are other sources of non-determinism.  For
example, in a recent thesis, a researcher who was trying to use
reproducible builds to defeat a longstanding security threat found
that the tcc compiler produced non-deterministic builds because of a
defect in sign-extending some casts, and a problem with long double
output.  He also cited another researcher's finding that a certain
java compiler's output was dependent upon the address of heap memory
addresses used during compilation.  See:

http://www.dwheeler.com/trusting-trust/dissertation/wheeler-trusting-trust-ddc.pdf

...

>If I concentrated on one problem at a  time I would never get anything done.

?! :)


b.


More information about the freebsd-questions mailing list