On 24.06.24 18:12, Russ Allbery wrote:
It is worth noting for comparison purposes that a compromise of a binary buildd is even harder to detect, since it leaves no trace in the archive at all apart from the malicious binary package.
Thus, reproducible builds, which we (and others) have been working on for years. Surprise: we still aren't there yet.
A reproducibility checker for t2u seems like child's play, compared to that effort. While no t2u checker currently exists, somebody might be motivated enough to write one. (Hint, hint …)
-- -- regards -- -- Matthias Urlichs
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature