Wednesday, 15 May 2013

Re: App installer design: only source packages or reproducible builds

Hi all,

An aspect of the package format which has not been brought up yet is the reproducibility of the builds.

The availability of the source of a package implies that a user can create the binaries from the source. However in practice, it is rarely that case that running the build command that makes a binary package from a source package results in a package with the same binary.

This deficiency means that reciever of the software does not have the freedom to study how the program works, because it is very hard or nearly impossible to verify that provided binary was obtained by compiling the provided source code.

There are two solutions to this problem:
1) only ship source code and let the user compile
2) make sure that the process to turn the source code into a binary is as predictable as 1 + 1 = 2.

Is it a goal of the app installer and package format to let the recievers of the software enjoy the freedom to study the how the program works?

Best regards,

ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: