[rb-general] distributed package verification system

Ludovic Courtès ludo at gnu.org
Thu Jun 2 10:17:00 CEST 2016


Hello,

Bernd Hopp <berndjhopp at gmail.com> skribis:

> I'm looking for developers and build experts to join my project for
> distributed package verification rpfl (github
> <https://github.com/berndhopp/rpfl>) and would like to ask you to give me a
> hand at this. Goal of the project is to give package management systems the
> opportunity to verify that a downloaded package corresponds to its publicly
> available source code. To achieve this, a server will create hashes of the
> packages that it had previously build from source and sign them via
> ed25519; this signature is then be used by the client to check if the
> downloaded package is the same as the package resulting from a build from
> source.

I think this is a worthy goal.  My feeling is that this cannot be
achieved in a way that is completely independent of the distro and its
package management tool, which I think is also what Holger is
suggesting.

Guix has ‘guix challenge’, which looks similar in spirit to what you
describe, but it’s of course Guix-specific:

  https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-challenge.html

Happy hacking!  :-)

Ludo’.


More information about the rb-general mailing list