Collaborative Working Sessions - Language-specific package managers
- Packaging, source or binary? Python and Rust (crates) supports both
- Crates have immutable tags, git usually does not
- Source provance is important but usually hard to get
- Score card can help
- GOSST (Google) scans packages and try to rebuild it’s content with
some success, results are not yet published
- If results were published, could be used to add badges to the packages in the repositories that the package was rebuilt and verified by a third party builder
- Could be used for cli integration to only allow install of packages being rebuilt/verified by a third party
- Compare here is the binary/source artifact, not all metadata
- Makes it easier to adopt as maintainers do not have to change all their CI/CD workflows
- Discussed hosted vs local builder and trustworthyness, if the buid
is being reproduced, both hosted and local builder can be trusted
- Having developers managing key materials can still be hard
- Can we tie Scorecard data into the package registry?
- Can we have workflows that triggers a rebuild on a release, and gate the publish step with a verified rebuild?
- First action point:
- Have thirdparty builders rebuilt packages similar to what Herve is doing for Maven Central?
Follow us on Twitter @ReproBuilds, Mastodon @firstname.lastname@example.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info