Collaborative Working Sessions - Arch huddle

Making Arch Linux Debug Packages Reproducible

This should be handled in three different steps. There are questions remaining to be answered before proceeding with the integration.

debuginfod

  • Is debuginfod secure?
    • i.e. Is there authentication between gdb and debuginfod?

⚠️ It is theoretically possible to perform code execution through debug symbols.

Mirrors

  • Right now the debug packages live in a single server. We should start distributing them through mirrors and potentially have them in our archives as well.
    • There is a question about storage since debug packages might take a good amount of disk space.
    • “We shouldn’t let the limitations of mirrors affect our design choices”.

Integration

Here are the tools that needs integration:

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info