Collaborative Working Sessions - Language-specific package managers

• Packaging, source or binary? Python and Rust (crates) supports both
• Crates have immutable tags, git usually does not
• Source provance is important but usually hard to get
• Score card can help
• GOSST (Google) scans packages and try to rebuild it’s content with some success, results are not yet published
  • If results were published, could be used to add badges to the packages in the repositories that the package was rebuilt and verified by a third party builder
  • Could be used for cli integration to only allow install of packages being rebuilt/verified by a third party
  • Compare here is the binary/source artifact, not all metadata
  • Makes it easier to adopt as maintainers do not have to change all their CI/CD workflows
• Discussed hosted vs local builder and trustworthyness, if the buid is being reproduced, both hosted and local builder can be trusted
  • Having developers managing key materials can still be hard
• Can we tie Scorecard data into the package registry?
• Can we have workflows that triggers a rebuild on a release, and gate the publish step with a verified rebuild?
• First action point:
  • Have thirdparty builders rebuilt packages similar to what Herve is doing for Maven Central?