Hacker News new | past | comments | ask | show | jobs | submit login

Guix has a very good complementary approach to this problem, guix challenge. Perhaps it's also implemented in Nix too already:

https://www.gnu.org/software/guix/manual/html_node/Invoking-...

Basically, since builds are reproducible, you can automatically build from source and see if the hash of the binary you built matches the one you are downloading.

Obviously, source can be still compromised. But that's probably something IPFS won't fix unless wherever you get sources from is also on IPFS.




`nix-build` can take `--check` to do a similar thing. However, not all packages are reproducible. We've been doing a bit of work on this: https://garbas.si/2016/reproducible-builds-summit-in-berlin.... and have begun checking reproducibility in our CI system: http://hydra.nixos.org/jobset/nixos/reproducibility


Just a tiny nitpick, if I may: most builds are reproducible, but not all. Out of ~5000 packages, ~600 are not yet reproducible.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: