[rb-general] Core Debian reproducibility: how close?
santiago at nyu.edu
Tue Oct 23 20:47:42 CEST 2018
> In short: It's hard for me to tell "what's left to do for real Debian (at least
> its required parts) to be reproducible?"
Hi, I don't know if i'm missing context on the "theory to practice"
aspect of it, but it appears that this is something we're trying to fix
using the debian rebuilder setup and the buildinfo archive:
The rebuilder will basically reproduce a package in distinct
infrastructure and post an attestation about this action. Here's our
The idea longerm would be to enforce theshold signing on reproducible
packages using something akin to in-toto*:
I'll say there's something along this lines already on the works, but
it's not released yet.
I don't know how much this helps contextualize your question though...
* (disclaimer, I'm the lead dev on in-toto...)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the rb-general