Fedora Targets 99% Package Reproducibility by October (lwn.net)
- Reference: 0177004239
- News link: https://linux.slashdot.org/story/25/04/11/2143211/fedora-targets-99-package-reproducibility-by-october
- Source link: https://lwn.net/Articles/1014979/
The effort will use a public instance of rebuilderd to independently verify that binary packages can be reproduced from source code. Unlike Debian's bit-by-bit reproducibility definition, Fedora allows differences in package signatures and some metadata while requiring identical payloads. The initiative follows similar efforts by Debian and openSUSE, and comes amid heightened focus on supply-chain security after the recent XZ backdoor incident.
[1] https://lwn.net/Articles/1014979/
I don't get this part (Score:3)
> The initiative follows similar efforts by Debian and openSUSE, and comes amid heightened focus on supply-chain security after the recent XZ backdoor incident.
I don't see how this would have done anything to prevent the "XZ backdoor incident", since that code was inserted by a trusted maintainer.
Re: (Score:2)
It's about getting the last 10% of the "trusted maintainers" inline.
Re: (Score:3)
> I don't see how this would have done anything to prevent the "XZ backdoor incident", since that code was inserted by a trusted maintainer.
What the XZ incident did was raise the awareness level of supply chain attacks (the vulnerability was always acknowledged; that the XZ maintainer almost succeeded increased the concerns). Reproducible builds are just one part of the process to raise the bar.
Re: (Score:2)
Reproducible means you can verify what the maintainer did.
For XZ, there was a tar for download that didn't match the contents of the git. As there were no reproducible instructions how to build the tar from git (it involved generating random looking test data) one would not have the chance to verify if someone injected data from outside the repository.
If they had a reproducible build script, you could build the release yourself and compare against the official version. If there is a mismatch, someone (possi
Re: (Score:2)
Trust but verify.
Re: I don't get this part (Score:2)
+9000
There are many ways to compromise.
Feeling better about switch to Debian ... (Score:1)
This makes me feel better about switching to Debian years ago. Actual Debian, not Ubuntu.
Re: (Score:2)
Why exactly? Debian is going through this exact same issue as we speak.
Re: (Score:2)
This seems like a scenario where we all win.
Red Hat does their twiddling for RPM but in turn upstreams anything helpful to the source project, allowing rival package formats such as Arch, deb, pkgsrc etc to adopt reproducible builds too.
Re: (Score:1)
> Why exactly? Debian is going through this exact same issue as we speak.
It seems like Debian is doing a more thorough job from what was written.
Re: (Score:2)
>> Why exactly? Debian is going through this exact same issue as we speak.
> It seems like Debian is doing a more thorough job from what was written.
Debian has to do things differently because, unlike Fedora, Debian allowed (under some circumstances) packagers to upload resulting files directly to the repos, and apt uses detached (rather than embedded, as in rpm) signatures. Fedora requires all packages to build from source in their dist-git on their build infrastructure. The goals are the same (reproducability), but the implementations and schedules are different because they have different things to address in their procedures and infrastructure. A
Re: (Score:2)
Debian doesn't even have it's own cringey weirdo meme.
Re: (Score:2)
Have you met many Debian users? They all seem to be the old guy in the rubber mask Scooby and gang unmasks at the end of the episode.
Hah, about time... (Score:2)
I would guess that a majority of competing Linux distributions were launched in the past 30 years from Redhat's complete lack of giving a shit about how, when, with what, and on what actual system their packages were made.