rebuilding Maven Central Repository artifacts: welcome reproducible-central
Bernhard M. Wiedemann
bernhardout at lsmod.de
Thu Apr 16 20:24:13 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
On 03/04/2020 06.03, Hervé Boutemy wrote:
> The big question is: where is the database that tells that a binary
> artifact is reproducible? Who should one trust for such a database?
> based on what proof?
There was the idea that rebuilders sign their buildinfo files
that contain what sources produced what binaries in what env.
Then the database would just collect (links to) those signed snippets
in a similar way to
https://keybase.io/bmwiedemann doing it for associating accounts via
That could allow (tools of) users to decide which set of rebuilers to
Just my 0.02 EUR
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the rb-general