Re: Reproducible Builds for Fedora

[Sebastian Krahmer <krahmer () suse de>]

Hi


cool stuff indeed and certainly a benefit.

On Tue, Sep 24, 2013 at 09:55:13PM +0530, Dhiru Kholia wrote:

> Hi,
>
> I have been working on having Reproducible Builds in Fedora for some
> time.
>
> At this point, I think I have something demoable. Ensuring Reproducible
> Builds is a big task and I want your feedback, ideas, code and support.

Since you asked for support, here's my idea. I hope I am not nitpicking, but
the whole idea behind reproducable builds is to avoid trojaned rpm's,
I guess.

I was checking the rpm-compare how it actually is doing the compre
and you have:

[...]
                base=`basename $f`
                objdump -d rpm1/$f | grep -v $base > dump1
                objdump -d rpm2/$f | grep -v $base > dump2
                diff -u dump1 dump2 > /dev/null
                if [ $? -ne 0 ] ; then
                          echo "File disassembly differs $f"
                          cnt=`expr $cnt + 1`
                fi
[...]

for ELF files and doing a sha256sum for other file types. My concern is
that attackers could construct a package that contains function-names that
match the basename of the binary that you are checking. The "grep -v"
will remove that, leaving a clean compare for injected code like
'call $base' etc. That would leave a wrong feeling about equal binaries.

regards,
Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team