Please review the draft for March's report

Richard Purdie richard.purdie at linuxfoundation.org
Tue Apr 6 14:46:46 UTC 2021


On Tue, 2021-04-06 at 10:39 -0400, David A. Wheeler wrote:
> Press releases are not the best way to learn technical details :-).
> 
> I suggest adding a link to more details e.g.:
> 
> See <a href="https://sigstore.dev/what_is_sigstore/“>”What is sigstore"</a> for more details.
> 
> I think mentioning sigstore is value. Reproducible builds let you verify that
> a given build *is* generated from a given source; sigstore can let you
> verify that you got the *correct* source or build.

An interesting aside but Yocto Project sidesteps this issue by
encoding the checksums of the source tarballs in it's recipes
for software.

Whilst that doesn't guarantee it is the correct source, it means
that you're all using the same source and given the breadth of
use of the project, you'd assume differences would be noticed 
and can certainly be audited.

You'd be amazed how often we find projects that rebuild their
release tarballs :/

Cheers,

Richard




More information about the rb-general mailing list