Follow

Reproducible Builds aims to make it easier to check the source code of free and open source software. You can follow the project at:

➡️ @reproducible_builds

The project's website is at reproducible-builds.org

Reproducible Builds promotes tools and practices to help verify that open source code has not been altered before its distribution.

@FediFollows
I like the idea, but
@reproducible_builds how do users of software check that something is reproducible and see that others can confirm it's reproducible?

@loveisgrief @reproducible_builds great question!

Right now this is mostly informal: (independent) developers check the reproducibility of released artifacts, and 'users' mostly rely on the fact that no such developers are sounding the alarm.

It would be great to have standard ways for rebuilders to share 'attestations' for users to compare. There are some experiments in this area (e.g. github.com/in-toto/apt-transpo github.com/tweag/trustix ) - definitely ongoing work!

@raboof Very interesting @reproducible_builds ! Thanks for the answer. definitely looks promising and very much like what I'd expect reproducible builds to do. Having a public webpage to see the submitted logs would also be great to see the consensus.

Having a Github Action or Gitlab CI template to build and submit logs would be pretty sweet too.

Looking forward to see how this progresses

@loveisgrief
My distro, #guix, allows me to independently check a build, like so:

guix build hello --check

And if I want to, I can compare results from independent build farms. The project has two independent build farms running two different CI software. Anyone can create a build farm or publish their local set of packages that they built:

guix challenge hello

To see how hello looks like on all the build farms/servers I know of :)
@raboof @reproducible_builds

Sign in to participate in the conversation
Mastodon

A newer server operated by the Mastodon gGmbH non-profit