[Mono-dev] making mono builds reproducible (xamarin bz #26842)

Jo Shields directhex at apebox.org
Tue Feb 17 10:16:28 UTC 2015


It's a security project - by making builds (optionally) deterministic, you enable users to verify bit-for-bit that software compiled by a benevolent build server or benevolent developer is actually the same as when they compile the software themselves. Otherwise, it is possible (or even trivial, in Debian) for a developer or build server admin to backdoor software downloads. 

Sent from my Sony Xperia™ smartphone

---- Miguel de Icaza wrote ----

>Hey guys,
>
>
>I assume this is related to the unique identifier generated on each ECMA assembly?
>
>
>The issue here is that this goes against the requirements of the spec.   
>
>
>What exactly is being proposed here?
>
>
>On Mon, Feb 16, 2015 at 7:06 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>
>On Mon 2015-02-16 18:17:53 -0500, Michael McGlothlin wrote:
>> I'd always store time in epochs. Seconds since 1/1/1970 GMT.
>>
>> The use of textual date strings instead of a epochs is one of the
>> worst things I've seen from the C# way of doing things. I had often
>> wondered why so many programs could have so much trouble with handling
>> dates and times correctly..
>
>I agree that silly standards like RFC 822 timestamps are crazy and
>should not be used anywhere we can avoid them.
>
>However, the ISO-8601 date/timestamp format is both human- and
>machine-parseable, whereas most humans can't look at a UNIX epoch
>timestamp and know even whether it's in the past or the future.
>
>That said, i really care more about reproducibility than i do about any
>particular timestamp format.  if folks are fine with UNIX epoch
>timestamps and with the environment variable interfacfe Jo proposes,
>i'll be happy with that.  Is this something that could be adopted
>upstream?
>
>
>        --dkg
>_______________________________________________
>Mono-devel-list mailing list
>Mono-devel-list at lists.ximian.com
>http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-devel-list/attachments/20150217/00ffa620/attachment.html>


More information about the Mono-devel-list mailing list