I think it would be more precise to say that reproducible builds rely on asynchronous trust: individual users trust the pre-built packages on the expectation that some users are building from source and comparing against the package results.
It’s worth noting here that it’s not sufficient for some users to build from source for their own usage: they have to additionally compare their build results against the version served by the repository, and then they have to publicize if there’s a mismatch.
As somebody who builds many things from source, but has never attempted to validate a packaged repo using my results, I’m curious: does anybody here perform this validation?
It’s worth noting here that it’s not sufficient for some users to build from source for their own usage: they have to additionally compare their build results against the version served by the repository, and then they have to publicize if there’s a mismatch.
As somebody who builds many things from source, but has never attempted to validate a packaged repo using my results, I’m curious: does anybody here perform this validation?