muesli
Thread:
We need to talk about packaging, signatures, checksums and reproducible builds:
On your system you have a keyring of packagers' GPG keys that you inherently trust.
Releases get signed with a key, which verifies the packager as the author, and supposedly lets you and your system trust their contents.
But do you really trust your packagers? How could you? Do you know them personally and monitor their packaging work?
Would you even know if they release a package with malicious content?
muesli
We need a system that lets us reproduce a packager's work and confirm that whatever they release was indeed built from a specific source tree without any unintended or even malicious changes.
To achieve that we require reproducible builds, so we can correlate a build with its source tree(s) and dependencies.
Whenever a new package gets released, this would allow independent systems and entities to verify that its contents really match the expectations.
Bobinas P4G is a social network. It runs on GNU social, version 2.0.1-beta0, available under the GNU Affero General Public License.
All Bobinas P4G content and data are available under the Creative Commons Attribution 3.0 license.