Collaborative Working Sessions - Language-specific package managers

  • Packaging, source or binary? Python and Rust (crates) supports both
  • Crates have immutable tags, git usually does not
  • Source provance is important but usually hard to get
  • Score card can help
  • GOSST (Google) scans packages and try to rebuild it’s content with some success, results are not yet published
    • If results were published, could be used to add badges to the packages in the repositories that the package was rebuilt and verified by a third party builder
    • Could be used for cli integration to only allow install of packages being rebuilt/verified by a third party
    • Compare here is the binary/source artifact, not all metadata
    • Makes it easier to adopt as maintainers do not have to change all their CI/CD workflows
  • Discussed hosted vs local builder and trustworthyness, if the buid is being reproduced, both hosted and local builder can be trusted
    • Having developers managing key materials can still be hard
  • Can we tie Scorecard data into the package registry?
  • Can we have workflows that triggers a rebuild on a release, and gate the publish step with a verified rebuild?
  • First action point:
    • Have thirdparty builders rebuilt packages similar to what Herve is doing for Maven Central?

Follow us on Twitter @ReproBuilds, Mastodon & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info