rebuilding Maven Central Repository artifacts: welcome reproducible-central

Bernhard M. Wiedemann bernhardout at lsmod.de
Thu Apr 16 20:24:13 UTC 2020


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 03/04/2020 06.03, Hervé Boutemy wrote:
> The big question is: where is the database that tells that a binary
> artifact is reproducible? Who should one trust for such a database?
> based on what proof?

There was the idea that rebuilders sign their buildinfo files
that contain what sources produced what binaries in what env.

Then the database would just collect (links to) those signed snippets
in a similar way to
https://keybase.io/bmwiedemann doing it for associating accounts via
signed messages.

That could allow (tools of) users to decide which set of rebuilers to
trust.

Just my 0.02 EUR

Ciao
Bernhard M.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQRk4KvQEtfG32NHprVJNgs7HfuhZAUCXpi+3wAKCRBJNgs7Hfuh
ZErKAKCecupiwohH8SgO0a31dd94N/GEGACeLCIzm+MEaVAr8K4n+x0l5DpiOqc=
=uyqL
-----END PGP SIGNATURE-----


More information about the rb-general mailing list