Reproducible Builds aims to make it easier to check the source code of free and open source software. You can follow the project at:
The project's website is at https://reproducible-builds.org
Reproducible Builds promotes tools and practices to help verify that open source code has not been altered before its distribution.
Right now this is mostly informal: (independent) developers check the reproducibility of released artifacts, and 'users' mostly rely on the fact that no such developers are sounding the alarm.
It would be great to have standard ways for rebuilders to share 'attestations' for users to compare. There are some experiments in this area (e.g. https://github.com/in-toto/apt-transport-in-toto https://github.com/tweag/trustix ) - definitely ongoing work!
@raboof Very interesting @reproducible_builds ! Thanks for the answer. #Trustix definitely looks promising and very much like what I'd expect reproducible builds to do. Having a public webpage to see the submitted logs would also be great to see the consensus.
Having a Github Action or Gitlab CI template to build and submit logs would be pretty sweet too.
Looking forward to see how this progresses
guix build hello --check
And if I want to, I can compare results from independent build farms. The project has two independent build farms running two different CI software. Anyone can create a build farm or publish their local set of packages that they built:
guix challenge hello
A newer server operated by the Mastodon gGmbH non-profit