Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish / make use of .buildinfo files for RPM packages #418

Open
eaon opened this issue Mar 7, 2023 · 0 comments
Open

Publish / make use of .buildinfo files for RPM packages #418

eaon opened this issue Mar 7, 2023 · 0 comments

Comments

@eaon
Copy link
Contributor

eaon commented Mar 7, 2023

Adding this here as it would apply to securedrop-updater as well as securedrop-workstation

I just noticed that QubesOS publishes .buildinfo files for RPM packages (example), and it turns out they use a relatively simple script for this. They also have a tool to verify reproducibility that take these files as input.

I think following their example here would be cool, though it would require us to switch up how we build RPM packages right now (adding a step to create SRPMs).
cfm added a commit to freedomofpress/securedrop-yum-prod that referenced this issue Feb 27, 2025
@cfm
ci: output the hashes of all RPM packages without their signatures
1e161fc 
This is a step towards automating the check of pre-signature
reproducibility proposed by freedomofpress/securedrop-builder#418.
cfm added a commit to freedomofpress/securedrop-yum-prod that referenced this issue Feb 27, 2025
@cfm
ci: output the hashes of all RPM packages without their signatures
04b8849 
This is a step towards automating the check of pre-signature
reproducibility proposed by freedomofpress/securedrop-builder#418.
cfm added a commit to freedomofpress/securedrop-yum-prod that referenced this issue Feb 27, 2025
@cfm
ci: output the hashes of all RPM packages without their signatures
cd7f782 
This is a step towards automating the check of pre-signature
reproducibility proposed by freedomofpress/securedrop-builder#418.
cfm added a commit to freedomofpress/securedrop-yum-prod that referenced this issue Feb 27, 2025
@cfm
ci: output the hashes of all RPM packages without their signatures
0a27ed0 
This is a step towards automating the check of pre-signature
reproducibility proposed by freedomofpress/securedrop-builder#418.
cfm added a commit to freedomofpress/securedrop-yum-prod that referenced this issue Feb 28, 2025
@cfm
ci: output the hashes of all RPM packages without their signatures
89ae9f8 
This is a step towards automating the check of pre-signature
reproducibility proposed by freedomofpress/securedrop-builder#418.
cfm added a commit to freedomofpress/securedrop-yum-prod that referenced this issue Feb 28, 2025
@cfm
ci: output the hashes of all RPM packages without their signatures
203f88c 
This is a step towards automating the check of pre-signature
reproducibility proposed by freedomofpress/securedrop-builder#418.
cfm added a commit to freedomofpress/securedrop-yum-prod that referenced this issue Feb 28, 2025
@cfm
ci: output the hashes of all RPM packages without their signatures
2838893 
This is a step towards automating the check of pre-signature
reproducibility proposed by freedomofpress/securedrop-builder#418.
@cfm cfm mentioned this issue Feb 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eaon