[Mono-dev] making mono builds reproducible (xamarin bz #26842)
directhex at apebox.org
Tue Feb 17 10:16:28 UTC 2015
It's a security project - by making builds (optionally) deterministic, you enable users to verify bit-for-bit that software compiled by a benevolent build server or benevolent developer is actually the same as when they compile the software themselves. Otherwise, it is possible (or even trivial, in Debian) for a developer or build server admin to backdoor software downloads.
Sent from my Sony Xperia™ smartphone
---- Miguel de Icaza wrote ----
>I assume this is related to the unique identifier generated on each ECMA assembly?
>The issue here is that this goes against the requirements of the spec.
>What exactly is being proposed here?
>On Mon, Feb 16, 2015 at 7:06 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>On Mon 2015-02-16 18:17:53 -0500, Michael McGlothlin wrote:
>> I'd always store time in epochs. Seconds since 1/1/1970 GMT.
>> The use of textual date strings instead of a epochs is one of the
>> worst things I've seen from the C# way of doing things. I had often
>> wondered why so many programs could have so much trouble with handling
>> dates and times correctly..
>I agree that silly standards like RFC 822 timestamps are crazy and
>should not be used anywhere we can avoid them.
>However, the ISO-8601 date/timestamp format is both human- and
>machine-parseable, whereas most humans can't look at a UNIX epoch
>timestamp and know even whether it's in the past or the future.
>That said, i really care more about reproducibility than i do about any
>particular timestamp format. if folks are fine with UNIX epoch
>timestamps and with the environment variable interfacfe Jo proposes,
>i'll be happy with that. Is this something that could be adopted
>Mono-devel-list mailing list
>Mono-devel-list at lists.ximian.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mono-devel-list