I never got around to submitting my blog to HN. But if people are curious about some technical details of the underlying problems of reproducing Arch Linux packages I wrote something a few months ago.
This is fantastic to see. Reproducible builds adds yet another layer of trust on top of open source software. The wiki page is also classic Arch Wiki-style, with all the detail one would expect. Every OSS project should strive to be this helpful.
I care more about if maintainers actually audit the contents of packages rather than if their builds are reproducible (though the latter still matters)!
Not just is there obvious malware, but also are there obvious vulnerabilities, is the person that wrote it of good nature / located in a country where they’re safe from nation state pressure, is there a lot of history behind the app.
Obviously this is too much work for any individual and requires a chain of trust. I believe fedora and Ubuntu at the very least audit to some extent but I’ve never seen any doco.
I think they intended the phrase as a question; they're proposing that a maintainer should not just ask "is there obvious malware in this package?", but also several other questions (which they list afterwards).
Isn't this chain of trust essentially what crev [0] tries to do? FWIW Rust implements cargo-crev [1], but I suppose you could extend this to AUR packages with a bit of work.
I believe the whole reproducible-builds.org project started at Debian [0], the Core Team is still all made of Debian Developers, more information at:
https://reproducible-builds.org/
Based on my reading of this Arch wiki page[0], it looks like this doesn't impact packages in the AUR. Does anyone who is more familiar with this know if that is true? It appears that it does work for community packages though (see the bottom of this page[1]).
>Based on my reading of this Arch wiki page[0], it looks like this doesn't impact packages in the AUR.
Yes. AUR is excluded from reproducible builds because it only provides build scripts and not actual packages. There is nothing to reproduce. One surely could make a repo and compare results, but it would frankly be a bit futile considering the general package quality there.
This is a question of the artifacts distributed as part of Arch Linux, the tar.xz packages. The idea is to be able to reproducibly build a package from source (where "source", yes, may include binary assets and blobs), and check that the copy you built matches what Arch distributes, byte for byte. This way, you know the packager hasn't introduced unexpected changes.
Since end users build AUR packages themselves, there is nothing distributed, and nothing to verify.
You're describing what those AUR builds do not what they are.
Reproducible builds are for artifacts that are... built. Plenty of AUR recipes download blobs and explode them, but the resulting xz package isn't actually hosted in the AUR.
A tool like rebuilderd would only be relevant to the AUR in the case that somebody is publishing generated AUR packages to a repo for others to install without building them directly, and then you'd like to verify those.
The AUR doesn't distribute those executables; it distributes the instructions for the user (or some software working on behalf of the user) to go fetch the executables themselves. This is an important distinction, because the official Arch repositories _do_ distribute executables, directly to the user.
https://linderud.dev/blog/reproducible-arch-linux-packages/
EDIT: I did self-discover I did submit the article when I wrote it. Just forgot. Oh well :)