On Tue, 2021-04-06 at 10:39 -0400, David A. Wheeler wrote: > Press releases are not the best way to learn technical details :-). > > I suggest adding a link to more details e.g.: > > See <a href="https://sigstore.dev/what_is_sigstore/“>”What is sigstore"</a> > for more details. > > I think mentioning sigstore is value. Reproducible builds let you verify that > a given build *is* generated from a given source; sigstore can let you > verify that you got the *correct* source or build.
An interesting aside but Yocto Project sidesteps this issue by encoding the checksums of the source tarballs in it's recipes for software. Whilst that doesn't guarantee it is the correct source, it means that you're all using the same source and given the breadth of use of the project, you'd assume differences would be noticed and can certainly be audited. You'd be amazed how often we find projects that rebuild their release tarballs :/ Cheers, Richard
