

Ask HN: how do I check if the package was built from a particular source? - snitko

So, say I have an ubuntu .deb package with binary files in it and I have the source files from which those binaries were built both downloaded from the repo. How do I check if those binaries were built from the exact same source they claim to be built from? CRC seems to only provide a way of checking the summ for the package downloaded, so that I'd be sure nothing happened during the download - but, as far as I understand, it has nothing to do with the sources.<p>(not paranoid, just curious).
======
rlpb
You can't really tell for sure. The resulting binaries will depend heavily on
deterministic factors such as the exact versions of build tools and build OS
used, and may also depend on non-deterministic factors such as the order of
execution of different threads in the build process affecting orderings in the
resulting binaries.

With packages, the easiest way to eliminate doubt is to build the binary
packages from the source packages yourself. This is relatively straightforward
as source packages contain all the information needed (options etc) to make
the build automation work.

You should also read Ken Thompson's "Reflections on Trusting Trust"
(<http://cm.bell-labs.com/who/ken/trust.html>), which shows that even if the
binaries were built from the exact source they claim, you still can't trust
them unless you can also trust the toolchain and its entire ancestry.

~~~
snitko
Thanks for the answer and especially for the link and a short annotation on
it. Exciting.

------
pbhjpbhj
The control data (eg unzip the archive and view or use "dpkg-deb -I
/path/to/package.deb") gives you the version number which should match. This
should also match with changelog details from changelog.gz under the data part
of the deb (but not all packages have this). Both of these are easily forged.

To me, a novice, it appears that the best bet is to use signed/checksummed
packages from a reputable source; I don't think you can tell beyond this.

To be able to recompile and compare the binaries you'd need to know which
compile-time options were used.

