On Mon, 2021-04-05 at 05:03 -0400, Chris Lamb wrote:
> Please feel free and commit/push to drafts without the overhead of
> sending patches or merge requests.
> If you currently do not have access to the above repository, you can
> request access by following the instructions at:
>
> Thanks!
>
> Where are those edits? I don't see them in reproducible-website.git or in
> your reply.
Oh, I just pushed, my bad (I wanted to double check it rendered properly
locally and I went down a rabbit hole of fixing my gen environment...).
Let me know if this helps...
>
> > I wasn't
Santiago Torres-Arias wrote on Tue, 06 Apr 2021 18:17 +00:00:
> On Tue, Apr 06, 2021 at 05:02:58PM +, Daniel Shahaf wrote:
> > > Do notice that verification is not part of the user story yet (i.e.,
> > > anybody can claim to own any artifact).
> >
> > So, if I understand correctly, sigstore
Good morning Santiago,
Santiago Torres-Arias wrote on Tue, Apr 06, 2021 at 10:50:20 -0400:
> > I think mentioning sigstore is value. Reproducible builds let you verify
> > that
> > a given build *is* generated from a given source; sigstore can let you
> > verify that you got the *correct* source
> On Apr 6, 2021, at 10:50 AM, Santiago Torres-Arias
> wrote:
>
>> I think mentioning sigstore is value. Reproducible builds let you verify that
>> a given build *is* generated from a given source; sigstore can let you
>> verify that you got the *correct* source or build.
>
> I think
So that everyone is aware, we on the bootstrappable side of the house have
eliminated pregen (Like Bison grammers) files from the GCC bootstrap.
https://github.com/fosslinux/live-bootstrap
Now nothing except human written source should remain
It even makes a pretty graph (
> I think mentioning sigstore is value. Reproducible builds let you verify that
> a given build *is* generated from a given source; sigstore can let you
> verify that you got the *correct* source or build.
I think mentioning sigstore is a good idea (Full disclosure, I'm
involved in the effort),
On Tue, 2021-04-06 at 10:39 -0400, David A. Wheeler wrote:
> Press releases are not the best way to learn technical details :-).
>
> I suggest adding a link to more details e.g.:
>
> See https://sigstore.dev/what_is_sigstore/“>”What is sigstore"
> for more details.
>
> I think mentioning
Press releases are not the best way to learn technical details :-).
I suggest adding a link to more details e.g.:
See https://sigstore.dev/what_is_sigstore/“>”What is sigstore" for
more details.
I think mentioning sigstore is value. Reproducible builds let you verify that
a given build *is*
Daniel Shahaf wrote:
> It's not our business to fix their press release, of course, but if we
> link to something, we should ensure _our_ readers will be able to tell
> what we link to and why it's significant. If their press release doesn't
> explain that, then we could explain those bits
On 06/04/2021 02.24, Daniel Shahaf wrote:
> I don't understand from that post what's so significant about sigstore,
> even after having followed the link to upstream's press release.
I think, the problem that it tries to address is that most (90%?) of
upstreams publish just tarballs/zipfiles
11 matches
Mail list logo