How could we accelerate *deployment* of verified reproducible builds?

Holger Levsen holger at
Mon Feb 1 17:27:08 UTC 2021

On Mon, Feb 01, 2021 at 11:34:39PM +0800, Justin Cappos wrote:
> Great question.  I hope if you don't mind that I reply on list.
> in-toto provides a way to know what / how many keys should be trusted for
> the build servers (and rotate them / replace them securely if needed, for
> example if a compromise occurs).  It also performs checks to make sure that
> what goes into the reproducible build process was actually a signed /
> tagged git release.  Following the reproducible builds process, it makes
> sure that any localization or further work on the reproducible builds
> output (if present) also actually used the result of the reproducible build.

apt-transport-in-toto has just been accepted into the Debian archive and
thus *should* make it into the next Debian release bullseye, which (AFAIUI)
means we can now setup rebuilders and then will be able to use apt-transport-in-toto
to enforce apt to only install packages which were reproducibed on X builders.

Also, hopefully maybe. ;p  I'll celebrate this when I see it working. ;)

Cheers go to Lukas Puehringer and Frédéric Pierret for making the Debian
package and the whole in-toto team! (and a tiny bit to yours truely.)


 ⣾⠁⢠⠒⠀⣿⡁       holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

We are done with ‘world leaders’. Countries are on fire. Cities are drowning.
People are dying. This is what scientists and activists have been warning the
world and politicians about. It’s here. We ARE facing the impacts of the
climate crisis. Forget about the future, it’s now.
fridays for future -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the rb-general mailing list