Collaborative Working Sessions - Arch huddle

Making Arch Linux Debug Packages Reproducible

This should be handled in three different steps. There are questions remaining to be answered before proceeding with the integration.

debuginfod

  • Is debuginfod secure?
    • i.e. Is there authentication between gdb and debuginfod?

⚠️ It is theoretically possible to perform code execution through debug symbols.

Mirrors

  • Right now the debug packages live in a single server. We should start distributing them through mirrors and potentially have them in our archives as well.
    • There is a question about storage since debug packages might take a good amount of disk space.
    • “We shouldn’t let the limitations of mirrors affect our design choices”.

Integration

Here are the tools that needs integration: