Please review the draft for March's report
richard.purdie at linuxfoundation.org
Tue Apr 6 14:46:46 UTC 2021
On Tue, 2021-04-06 at 10:39 -0400, David A. Wheeler wrote:
> Press releases are not the best way to learn technical details :-).
> I suggest adding a link to more details e.g.:
> See <a href="https://sigstore.dev/what_is_sigstore/“>”What is sigstore"</a> for more details.
> I think mentioning sigstore is value. Reproducible builds let you verify that
> a given build *is* generated from a given source; sigstore can let you
> verify that you got the *correct* source or build.
An interesting aside but Yocto Project sidesteps this issue by
encoding the checksums of the source tarballs in it's recipes
Whilst that doesn't guarantee it is the correct source, it means
that you're all using the same source and given the breadth of
use of the project, you'd assume differences would be noticed
and can certainly be audited.
You'd be amazed how often we find projects that rebuild their
release tarballs :/
More information about the rb-general