oss-sec mailing list archives
Re: Reproducible Builds for Fedora
From: Steve Grubb <sgrubb () redhat com>
Date: Wed, 25 Sep 2013 09:59:59 -0400
Hello, On Wednesday, September 25, 2013 10:08:01 AM Sebastian Krahmer wrote:
I was checking the rpm-compare how it actually is doing the compre and you have: [...] base=`basename $f` objdump -d rpm1/$f | grep -v $base > dump1 objdump -d rpm2/$f | grep -v $base > dump2 diff -u dump1 dump2 > /dev/null if [ $? -ne 0 ] ; then echo "File disassembly differs $f" cnt=`expr $cnt + 1` fi [...] for ELF files and doing a sha256sum for other file types. My concern is that attackers could construct a package that contains function-names that match the basename of the binary that you are checking.
Thanks for the feedback. I think the 'grep -v' can be replaced with sed '1,2d'. Its purpose was to delete the file path that objdump inserts at the top which causes miscompares. -Steve
Current thread:
- Reproducible Builds for Fedora Dhiru Kholia (Sep 24)
- Re: Reproducible Builds for Fedora Sebastian Krahmer (Sep 25)
- Re: Reproducible Builds for Fedora Steve Grubb (Sep 25)
- Re: Reproducible Builds for Fedora Nicolas Vigier (Sep 25)
- Re: Reproducible Builds for Fedora Sebastian Krahmer (Sep 25)
- Re: Reproducible Builds for Fedora Solar Designer (Sep 25)
- Re: Reproducible Builds for Fedora Alexander Cherepanov (Sep 26)
- Re: Reproducible Builds for Fedora Steve Grubb (Sep 26)
- Re: Reproducible Builds for Fedora Alexander Cherepanov (Sep 26)
- Re: Reproducible Builds for Fedora Paul Pluzhnikov (Sep 26)
- Re: Reproducible Builds for Fedora Kurt Seifried (Sep 26)
- Re: Reproducible Builds for Fedora Paul Pluzhnikov (Sep 27)
- Re: Reproducible Builds for Fedora Steve Grubb (Sep 25)
- Re: Reproducible Builds for Fedora Sebastian Krahmer (Sep 25)
- Re: Reproducible Builds for Fedora Dhiru Kholia (Sep 26)