[rb-general] distributed package verification system

Bernd Hopp berndjhopp at gmail.com
Tue May 31 11:45:11 CEST 2016

dear team,

I'm looking for developers and build experts to join my project for
distributed package verification rpfl (github
<https://github.com/berndhopp/rpfl>) and would like to ask you to give me a
hand at this. Goal of the project is to give package management systems the
opportunity to verify that a downloaded package corresponds to its publicly
available source code. To achieve this, a server will create hashes of the
packages that it had previously build from source and sign them via
ed25519; this signature is then be used by the client to check if the
downloaded package is the same as the package resulting from a build from

The project is currently proof-of-concept and needs some work at the server
code, especially in the area of buildsystem-integration. Also, plugins fro
package management systems need to be developed to really make use of it.

If you are interested in participating or if you know somebody who might
be, please don't hesitate to ask me any questions about the project or
next steps.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160531/842dcefd/attachment.html>

More information about the rb-general mailing list