[rb-general] distributed package verification system

Holger Levsen holger at layer-acht.org
Wed Jun 1 16:08:47 CEST 2016

Hi Bernd,

thanks for reaching out to us!

On Tue, May 31, 2016 at 09:45:11AM +0000, Bernd Hopp wrote:
> I'm looking for developers and build experts to join my project for
> distributed package verification rpfl (github
> <https://github.com/berndhopp/rpfl>) and would like to ask you to give me a
> hand at this. Goal of the project is to give package management systems the
> opportunity to verify that a downloaded package corresponds to its publicly
> available source code. 

very nice!

> To achieve this, a server will create hashes of the
> packages that it had previously build from source and sign them via
> ed25519; this signature is then be used by the client to check if the
> downloaded package is the same as the package resulting from a build from
> source.

I think it would also be good if the server could get these hashes from
other builders (just different machines or entirely operating by
different entities) and it should be possible to store several different
hashes for a given source. Because unreproducible software exists today.

Another idea, for the Debian usecase, is also to have several people
report the checksums they see, so that it becomes possible to see
if+when one gets a different checksum than everybody else.

> The project is currently proof-of-concept and needs some work at the server
> code, especially in the area of buildsystem-integration. Also, plugins fro
> package management systems need to be developed to really make use of it.

What system are you targeting at the moment, btw? IOW: do you have plans
for integration with apt or dnf or $anyothertool?

> If you are interested in participating or if you know somebody who might
> be, please don't hesitate to ask me any questions about the project or
> next steps.

please continue sharing news about this project on this list! also, you
might want to join #reproducible-builds on irc.oftc.net if you are on

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160601/3bd3cdf9/attachment.sig>

More information about the rb-general mailing list