repro-threshold v0.1.0 released - rebuilderd Debian apt integration

[kpcyrd]

Dear list,

I'm pleased to announce the first release of a new tool I've been very 
busy working on:

https://github.com/kpcyrd/repro-threshold

It implements an apt transport that can be invoked through 
`reproduced+https://` and queries in-toto attestations from the set of 
rebuilderd instances that have been configured as trusted by the user.

Configuration can be done through a config file, or through a 
curses-like user interface (screenshots are in the repository). The user 
defines a threshold of "at least X of my N trusted rebuilders need to 
confirm they reproduced the binary".

It's an experimental attempt to explore the questions discussed during 
the summit last month, how users would declare trust, as well as the 
role of reputation and identity.

The tool can fetch a list of "suggested" rebuilders from this repository 
(you are welcome to pull request yours):

https://github.com/kpcyrd/rebuilderd-community

This specific kind of tool was also requested by a CCC member during 
MiniDebConf Hamburg 2025 (around the 15:30 mark):

https://debian.netcologne.de/debian-video/2025/MiniDebConf-Hamburg/hamburg2025-6-reproducedebiannet-rebuilding-what-is-distributed-from-ftpdebianorg.webm

The pacman integration isn't implemented yet, I'm planning to port this 
over from pacman-bintrans (which had this feature since 2022, but 
without cryptographic attestations, without the configuration interface, 
and without the 'blindly trust' feature to allow-list some currently 
unreproducible packages, e.g. the Linux kernel). The pacman-bintrans 
project is then going to be retired/discontinued.

Prior art for this project (also pre-dating pacman-bintrans) is 
apt-transport-in-toto by the in-toto project and Lukas Pühringer (also 
special mention to Prof. Santiago Torres-Arias, Aditya Sirish, Prof. 
Justin Cappos, and Joy Liu):
https://github.com/in-toto/apt-transport-in-toto

cheers,
kpcyrd