Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://nerdculture.de/users/kirschwipfel/statuses/112183708887529887">🍒🌳 Hartmut Goebel (kirschwipfel@nerdculture.de)'s status on Monday, 01-Apr-2024 10:12:03 JST</a><a href="https://nerdculture.de/@kirschwipfel" title="kirschwipfel@nerdculture.de"><img src="https://gnusocial.jp/avatar/148990-48-20231116053259.webp" width="48" height="48" alt="🍒🌳 Hartmut Goebel" style="position: absolute; left: 0; top: 0;">🍒🌳 Hartmut Goebel</a><div><a href="https://udongein.xyz/objects/f36f91fd-32ce-4ff4-bc77-d5ce4c525f1b" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/209694" title="lispi314@udongein.xyz">LisPi</a></li><li><a href="https://gnusocial.jp/user/252580" title="andresfreundtec@mastodon.social">AndresFreundTec</a></li></ul></div></section><article><p>&gt; I"m not sure if many other projects do like Guix and record the checksum of the whole repository so as to ensure reproducibility purely from source.</p><p>If the packager chooses to use the official tarball as "the source", validating the checksum would not have helped. :-( Also whether it's always possible to run running autoreconf depends on the content of the tarball.</p><p>Which brings me to the (preliminary) conclusion that we'd better use repos as source of trust<br><a href="https://udongein.xyz/users/lispi314">@lispi314</a> <a href="https://mastodon.social/@AndresFreundTec">@AndresFreundTec</a> <a href="https://mastodon.social/@glyph">@glyph</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2879212#notice-5736950">In conversation</a><time datetime="2024-04-01T10:12:03+09:00" title="Monday, 01-Apr-2024 10:12:03 JST">about a year ago</time> <span>from <span><a href="https://nerdculture.de/@kirschwipfel/112183708887529887" rel="external" title="Sent from nerdculture.de via ActivityPub">nerdculture.de</a></span></span><a href="https://nerdculture.de/@kirschwipfel/112183708887529887">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
🍒🌳 Hartmut Goebel (kirschwipfel@nerdculture.de)'s status on Monday, 01-Apr-2024 10:12:03 JST🍒🌳 Hartmut Goebel
in reply to
> I"m not sure if many other projects do like Guix and record the checksum of the whole repository so as to ensure reproducibility purely from source.
If the packager chooses to use the official tarball as "the source", validating the checksum would not have helped. :-( Also whether it's always possible to run running autoreconf depends on the content of the tarball.
Which brings me to the (preliminary) conclusion that we'd better use repos as source of trust
@lispi314 @AndresFreundTec @glyph
In conversationabout a year ago from nerdculture.depermalink

Public

Embed Notice

HTML Code

Corresponding Notice