Debian Buster will only be 54% reproducible

Probably not, but it can't be proven. (see that 'Reflections on trusting trust' article about compiler backdoors) Reproducible builds are meant to provide that proof.

It's harder than it sounds - for instance, if a single thing in the whole build process generates a timestamp at any point, bam, your build isn't reproducible. Two people on two entirely separate machines at two different times must be able to take the same source and generate the exact same binary. As in you do a binary diff and its identical.

That for the info and patience user.

"Thanks", I meant.

debianfags BTFO

So which distros are 100% reproducible?

Attached: 3598192.9000000237_mEWHEN.png (194x218, 105K)

gentoo

source mage, gentoo.

You sure bout that? If they have a build date compiled in, they aren't.

>reproducible
what?

>Only 54% reproducible
So we've gone through the negatives. What are the possible positives of this? None?

thread is baiting tech illiterates
there's nothing to worry
you can still build all packages yourself

>Run by a bunch of trannies
>Struggling to reproduce
Some jokes write themselves.

Why cant they be reproduced? I assume it uses gcc so

I really should had switched to Gentoo instead of Devuan
Not the same ones you get from Debian
Fucked up and badly maintained (or straight up missing since pre-2016) .buildinfo files

> disclaimer: this has not yet been verified by anyone other than myself, so I could very well be wrong
Nice bait OP

>the one that doesn't have a standard to compare with
right

This is not an issue as important as it seems if you don't know much about it.

It's all just random metadata getting in the way of things.

might as well use gentoo

everything debian based is probably based on stable not testing

>Not the same ones you get from Debian
it's near impossible to compile two things and have them have matching hashes

Underrated

will this fuck devuan up too?

everything else is so fucking neckbeard and designed for desktop thread posting.

kek

>only 54%
isnt that 54% more than there ever used to be?
to my knowledge tor project was the only software that bothered to create reproducible binaries?

That's not what that means you retarded gorilla nigger

gentoo is far from. can't even reproduce same binaries oob on the same machine

Probably Tails and nothing more.

None.
NixOS is very close though.
Also, on Gentoo, reproducibility doesn't mean much since you compile everything locally.

>Debian: 54% white (not tampered with)
MUTTIAN

Fedora has an even less percentage of reproducible packages. I think it's below 10%. Enjoy the botnet cuck

Run your own rpmbuild server

That won't produce reproducible builds.

It doesn't matter if it's reproducible because you built it yourself and you either trust the source or verified it.

if anyone here was interested in technology, you would know that timestamps, hostnames, usernames and build dates play a large part in this.

NixOS is best distro

imagine actually using a binary distro
and worse, thinking that NOW there is some risk to precompiled binaries whereas before there was not. And to anyone thinking to ask, yes I read every line of mariadb source code before emerging it

lmao imagine not being able to find the backdoor in mariadb

Any statistics to compare other distros with? Otherwise this is like saying "A is bad", without knowing if B, C, or D are any better or worse.

glad that fedora has not even started the required discussion to even make reproducible builds?
fedoraproject.org/wiki/Reproducible_Builds

>trust the source or verified it
trusting the source is the same as trusting binaries, you're just splitting hairs. literally nobody verifies anything on their system. when basic packages are pulling in 40 microlib dependencies each it quickly becomes overwhelming to verify every little thing coming in. the entire push for dynamic linkage came from the US government, look it up. sun microsystems once stated, ~"we knew it was a bad idea, but our customers wanted it." those customers were federal agencies that wanted backdoors the second the internet caught on. you have to wonder why shared libraries, which are a very basic idea in reality, were never once considered until the very moment people began connecting to a global network, and then became a must-have on every system because "muh evil bloated messy static shit!" every supposed advantage of dll's is a disproven myth at this point. the only advantage is the abitily to modify a binaries behavior without modifying the binary, and there's only one type of person who would have any reason to do that. the government can't control every binary being shipped but they can control a small number of important libraries, anybody else would just modify their own binary sources rather than screwing with the libraries. they split libraries into as many small pieces as they can and spread them out to make it next to impossible to verify whether or not certain libraries, when working together, aren't doing anything unexpected.

By the time we get 100% reproducible builds everything will be written in Python and all that will be needed to make reproducible is the interpretter.

>Debian Buster will only be 54% reproducible (while we could be at >90%)
Why is it not 100%?
>and haven't been tampered with.
So its botnet, ok.
ayyy
Why are this compiled in? Timestamps maybe but the rest, no.
>everything will be written in JavaScript and runs directly on the processors JavaScript interpreter

The point of reproducability is being able to confirm that the binaries you get shipped are indeed coming from the source the distributor claims they are from. Whether the source code is trusted is a different story. Nice story you added there btw.

plebian started this tho

LOONIX BTFO

Attached: 1531132858069.png (1025x5000, 2.79M)

>trusting the source is the same as trusting binaries
Trusting the binaries means you trust the source, the compiler, the build environment, and the people who say that this binary came from this source and this compiler running in this build environment. Trusting the source is a subset of trusting the binary.

>goes to a thread he doesn't like to spout nonsense
bravo wintard

imagine writing all those words but being wrong.

It isn't

Sabayon

Attached: 1551665530218.jpg (667x423, 100K)

Reproducible binaries are a thing but have for most of time been mostly an academic endeavor. In the real world people always say fuck it to reach release dates, get paid, or because they don't have much comp sci knowledge, etc. These days, we are really starting to see the pain of advanced bitrot in almost any project, and the tooling for building software are extremely fast and easy compared to the past, so reproducible binaries/output is becoming more than just something you learn at university. It goes hand in hand with functional programming: either you spend time making a ton of tests, or you make a provable program. Both take time and effort, and there are ways to mix the paradigms but basically we are no longer in the days where it's totally normal to write untested/untestable code in a dynamic environment.

Look, this is not really about security at the end of the day. Some security benefits come from reproducible packages, but it's a marginal side effect. Let me explain:
The only way you can prove that your package maintaner compiled the code they claimed they did is by compiling it yourself and looking for differences. Anyone hyper-paranoid about the code they are running will compile everything themselves regardless of if the distro maintainers create reproducible packages. At that point, you actually need to audit the source code and put faith in the auditor (even if it's yourself) and you also get an explosion of other code to audit since nothing compiles without dependencies. The only people that can afford to practice software security on this level are large organizations or very rich.

The real benefit of reproducible packages is in cutting down bugs and making bugs reproducible and isolatable. If you know the package is always the same, and the environment is the same, you can recreate the bug, then pinpoint where it came from and fix it. Many problems Linux has had over the years come from everyone running systems with so many thousands of different variables, that most bugs can only be fixed by the person experiencing the bug. We are coming to a time where finally upstream developers can actually recreate what exactly went wrong and figure out how to fix it. This has not been how Linux was for many years. It's also important for businesses to be able to reproduce everything exactly so that they can scale, but also so that they can more easily fix bugs themselves or implement custom behavior that they know will work.

So all you guys on about security have good intentions, but you don't understand the real problem with Debian ("the stable distro") being so unreproducible.

I fucking knew it. all year long I've been saying debian 10 is going to be the worst debian release yet. this is just a small sign for what will come in the future. I just fucking know it will be unstable as hell

The hell does that have to do with anything? Buster seems a lot better than stretch already.

none iirc bc that is a lot of complexity to root out. given how huge the debian package archive is im not surprised they got it up that high

>but you don't understand the real problem with Debian ("the stable distro") being so unreproducible.
I think it's because debian has too many non-default shit in their packages

Wow, it's fucking nothing.

>FreeBSD
That's it.

t. debian maintainers

>using Glow in the dark NSA/Linux

Attached: FFF92C8F-5241-484F-B648-72E52B45F01B.jpg (700x523, 115K)

buster is trash, purging systems breaks everything

systemD*

You're actually retarded

what about OpenBSD?

slackware

thanks kind user, that is the last straw i am going back to win10. how reproducible is it?

Attached: 1440178615528.png (619x573, 182K)

>how reproducible is it?
if you can find the exact value of tan90°, you can find the reproducibility of windows 10

thank you user, that thread was interesting and I learned a couple things

trips of the absolute brain dead retardedness sub zero IQ
you can't build windows from source you black nigger gorilla stupid fucker

Arch

Kek xiggers btfo