[rb-general] Regarding "Zero Install" manifests
anders at ecsit.se
Thu Apr 27 21:21:09 CEST 2017
My name is Anders and I saw Chris Lamb's talk about Reproducible Builds
and I had a question about verifiable formats (after the build itself)
What I saw reminded me of an Open Source project called "Zero Install":
It has done some previous work into this field, that might be worth
looking into it ? Especially the "manifest" file format that is used:
It contains a list of binaries, each with their own recursive checksum.
Then the document contents are signed, and the signature is included:
It has a much simpler build system (i.e. that generates the binaries),
so I think that there is much synergy to be had between the projects ?
The build system I used was partially manual, and used basic chroots.
Looked something like this: http://0install.net/0compile-chroot.html
The author is Thomas Leonard, and he wrote an essay some 10 years ago
now on what a packaging system like this can ultimately be used for:
It is much better to checksum the binaries (than e.g. the tarballs),
because then the _same_ files can be distributed in lots of ways...
The result is something like a git commit ?
That is, a content-addressable identifier.
Finally, here is an example of a "feed":
http://0install.net/tools/0install.xml (view source!)
PS. You might also be interested in this tool, perhaps.
http://0install.net/pkg2zero.html (converts a deb/rpm)
More information about the rb-general