[rb-general] Regarding "Zero Install" manifests

Anders Björklund anders at ecsit.se
Thu Apr 27 21:21:09 CEST 2017


Hi R-B!

My name is Anders and I saw Chris Lamb's talk about Reproducible Builds
and I had a question about verifiable formats (after the build itself)

What I saw reminded me of an Open Source project called "Zero Install":

http://0install.net/


It has done some previous work into this field, that might be worth
looking into it ? Especially the "manifest" file format that is used:

http://0install.net/manifest-spec.html

It contains a list of binaries, each with their own recursive checksum.
Then the document contents are signed, and the signature is included:

http://0install.net/walkthrough.html


It has a much simpler build system (i.e. that generates the binaries),
so I think that there is much synergy to be had between the projects ?

The build system I used was partially manual, and used basic chroots.
Looked something like this: http://0install.net/0compile-chroot.html


The author is Thomas Leonard, and he wrote an essay some 10 years ago 
now on what a packaging system like this can ultimately be used for:

http://www.osnews.com/story/16956/Decentralised_Installation_Systems/

It is much better to checksum the binaries (than e.g. the tarballs),
because then the _same_ files can be distributed in lots of ways...


The result is something like a git commit ?
That is, a content-addressable identifier.

Finally, here is an example of a "feed":
http://0install.net/tools/0install.xml (view source!)

/Anders


PS. You might also be interested in this tool, perhaps.
http://0install.net/pkg2zero.html (converts a deb/rpm)


More information about the rb-general mailing list