[rb-general] distributed package verification system
Ludovic Courtès
ludo at gnu.org
Thu Jun 2 10:17:00 CEST 2016
Hello,
Bernd Hopp <berndjhopp at gmail.com> skribis:
> I'm looking for developers and build experts to join my project for
> distributed package verification rpfl (github
> <https://github.com/berndhopp/rpfl>) and would like to ask you to give me a
> hand at this. Goal of the project is to give package management systems the
> opportunity to verify that a downloaded package corresponds to its publicly
> available source code. To achieve this, a server will create hashes of the
> packages that it had previously build from source and sign them via
> ed25519; this signature is then be used by the client to check if the
> downloaded package is the same as the package resulting from a build from
> source.
I think this is a worthy goal. My feeling is that this cannot be
achieved in a way that is completely independent of the distro and its
package management tool, which I think is also what Holger is
suggesting.
Guix has ‘guix challenge’, which looks similar in spirit to what you
describe, but it’s of course Guix-specific:
https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-challenge.html
Happy hacking! :-)
Ludo’.
More information about the rb-general
mailing list