Conversation

pacman-bintrans 0.2.0 released, the new interface is not as polished as I originally anticipated but it's definitely an improvement. It's now able to query rebuilderd to check if the package was independently reproduced. Remember to remove `-v` from your `XferCommand =`.

3:24 PM · Jan 2, 2022Twitter Web App

Replying to

You can use --required-rebuild-confirms to reject all updates unless they've been reproduced by this many rebuilders, setting it to any value other then the default 0 is likely going to cause issues though. Repo with setup instructions at

github.com

GitHub - kpcyrd/pacman-bintrans: Experimental binary transparency for pacman with sigstore and rekor

Experimental binary transparency for pacman with sigstore and rekor - GitHub - kpcyrd/pacman-bintrans: Experimental binary transparency for pacman with sigstore and rekor

kpcyrd

@kpcyrd

Jan 2

I think the screenshot demonstrates nicely how trust is meant to work there eventually: My system is querying confirmations from 2 rebuilders I trust and eg. the e2fsprogs package has been reproduced by both of them, so it's either legit or there's some kind of collusion going on

kpcyrd

@kpcyrd

Jan 2

"So you're saying... there could be a collusion?" - yes, and we want more people to run rebuilders. The reproducible-archlinux team can't do that for you because we're already involved with the existing setups, we need more independent parties to join.