Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Deterministic builds and software trust

Jonathan Wilkes jancsika at
Thu Jun 20 10:35:45 PDT 2013

 From: Mike Perry <mikeperry at>
To: liberationtech <liberationtech at> 
Sent: Thursday, June 20, 2013 4:34 AM
Subject: Re: [liberationtech] Deterministic builds and software trust


Thanks for the responses.  I'm not a security specialist so it will
take me a will to ingest how all this works...

>> 2) Do you use Tor's git version id (the hash) for the
>> release as the random seed string?  Seems like that would be a
>> good precedent to set in case other projects start using this
>> method, too.

>Not sure exactly what you're asking here.

>For GCC's -frandom-seed, we just use "tor" as the string. I'm not aware
of any reason why that seed needs to ever change (my understanding is
that it is only used for symbol mangling to avoid static/namespace

What happens if you try to run two different versions on the same machine,
both of which were seeded with "tor"?

Or in "Exploit City" of the future, if a distro decides to go the deterministic
build route for _everything_ what happens when two versions of a library
are needed?

So I was just thinking that using the git hash as the seed would be future-proof:
it would guarantee no clashes for everything other than compiling the _exact_
same code in different dirs and trying to run both at the same time.


>We also include the full set of git hashes, version tags, and input
source hashes in the bundles themselves, so you know exactly what went
into your bundle if you want to try to match it at a later date...

Mike Perry
Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at or changing your settings at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list