On 4/10/24 12:58 PM, Chris Lamb wrote:
https://reproducible-builds.org/reports/2024-03/?draft
> Reproducible builds developer kpcyrd reported that that the Arch Linux "minimal container userland" is now 100% reproducible after work by developers dvzv and Foxboron on the one remaining package. The post, which kpcyrd suffixed with the question "now what?", continues on to outline some potential next steps, including validating whether the container image itself could be reproduced bit-for-bit. The post generated a significant number of replies.
Thanks for the kind words :) maybe it should be listed higher though, in its own section, as "major accomplishment within the community"?
It's also missing both the backseat-signed tool and the discussion in it's thread that highlights the idea of "maybe we should put unmodified git snapshots into .orig.tar.xz instead of allowing undocumented pre-processing", for the security properties this would have. Unfortunately the repo of the project is currently difficult to clone, I've put 60MB of test data into git LFS, but Github only grants 1GB of traffic on free tier, allowing about 16 clones. The files can currently not be downloaded because I'd need to buy data packs.
I also didn't have any time to continue the email thread, however I think I have made all my points sufficiently clear, for the people reading the thread in the future.
There's currently a similar discussion on hacker news: https://news.ycombinator.com/item?id=39988269
Thanks!
