From owner-freebsd-security@FreeBSD.ORG Mon Oct 24 12:09:29 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA2DC16A41F; Mon, 24 Oct 2005 12:09:29 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailout2.pacific.net.au (mailout2.pacific.net.au [61.8.0.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8CF243D48; Mon, 24 Oct 2005 12:09:28 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy1.pacific.net.au (mailproxy1.pacific.net.au [61.8.0.86]) by mailout2.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j9OC9DHW009009; Mon, 24 Oct 2005 22:09:13 +1000 Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailproxy1.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j9OC9AMe017360; Mon, 24 Oct 2005 22:09:12 +1000 Date: Mon, 24 Oct 2005 22:09:11 +1000 (EST) From: Bruce Evans X-X-Sender: bde@delplex.bde.org To: Martin Cracauer In-Reply-To: <20051024064605.A44523@cons.org> Message-ID: <20051024215918.V15095@delplex.bde.org> References: <20051023105230.GA55181@frontfree.net> <20051023232935.GC602@dragon.NUXI.org> <20051024080811.GF39882@cirb503493.alcatel.com.au> <20051024064605.A44523@cons.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Peter Jeremy , delphij@delphij.net, developers@freebsd.org, freebsd-security@freebsd.org Subject: Re: Is it feasible to cross-build compat5x binary? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 12:09:30 -0000 On Mon, 24 Oct 2005, Martin Cracauer wrote: > Peter Jeremy wrote on Mon, Oct 24, 2005 at 06:08:11PM +1000: >> On Sun, 2005-Oct-23 16:29:35 -0700, David O'Brien wrote: >>> We should no trust cross built libraries for this purpose at this time. >>> We really don't know how identical the results will be to being natively >>> built. >> >> At some stage, we need to validate our cross-build chain with cmp(1). > > ELF object files are timestamped. But there's some elf-cmp out there. On libraries (ELF or not: .so or .a) are. I use diff -r to check that builds of object trees give reproducible results, and just ignore libraries since they are built up from object files by a simple process (perhaps not so simple for .so's). The main problem at least used to be braindamaged applications that create irreproducible results using the following methods: - version.c files with a unique version number or timestamp - __DATE__ in C files. Results are reproducible until the next day - __TIME__ in C files - __FILE__ in C files. For {source,generated} files, this makes the results depend on the location of the {source,object} tree. Bruce