pacman-bintrans 0.2.0 released, the new interface is not as polished as I originally anticipated but it's definitely an improvement. It's now able to query rebuilderd to check if the package was independently reproduced. Remember to remove `-v` from your `XferCommand =`.
Conversation
You can use --required-rebuild-confirms to reject all updates unless they've been reproduced by this many rebuilders, setting it to any value other then the default 0 is likely going to cause issues though. Repo with setup instructions at
2
4
8
I think the screenshot demonstrates nicely how trust is meant to work there eventually: My system is querying confirmations from 2 rebuilders I trust and eg. the e2fsprogs package has been reproduced by both of them, so it's either legit or there's some kind of collusion going on
1
2
"So you're saying... there could be a collusion?" - yes, and we want more people to run rebuilders. The reproducible-archlinux team can't do that for you because we're already involved with the existing setups, we need more independent parties to join.
2
3
5