[rb-general] Codehash.db

u u at 451f.org
Tue Mar 14 17:47:00 CET 2017


Hi!

I've previously not been on this list, so I'm breaking the thread of
your previous messages introducing codehash.db. Sorry about that.
For reference, the thread started here:
https://secure-os.org/pipermail/desktops/2016-November/000143.html

During the last Reproducible Builds summit in Berlin, such a database
was also discussed. (I'm not aware of any public design doc or
implementation though.)

I think it would be a good idea to actually coordinate this effort
together with the Reproducible Builds folks (who I am Cc:ing), in order
not to duplicate the work, as well as to create and/or use open formats
- usable by all kind of software projects.

Furthermore I'd like to suggest that a design document for such a
database could be created (collectively). This could happen during the
next Reproducible Builds summit IMO - as being physically in the same
place seems to be very beneficial to the effort of actually creating a
secure future for software and users.

IMO, not only the format of such a database could then be agreed upon,
but furthermore, the question came up on how to trust the hashes which
are uploaded to the database. Who can upload hashes there and how can we
build trust? (Your solution uses PGP signatures from what I can tell.)

>From my memory, another idea would be that everybody could upload
hashes, and that the yet-to-be-created tool should allow for displaying
all uploaded hashes for one ISO|app|tool and allow for comparing them.
Such a database could not only be accessible via Git|raw data|JSON or
whatever format, but there could also be a frontend for end-users.

Cheers!
ulrike


More information about the rb-general mailing list