In light of https://bugs.gentoo.org/928134, I was thinking that one of the easy things that could be done to improve transparency would be fetching sources from SCM repositories rather than tarballs. Indeed there is one less layer of indirection to the canonical source, less generated code, which we can regenerate easily in Gentoo (eautoreconf), so their contents are more auditable than tarballs (obviously if a commit signature is used). But this should be reliable too, so in the same way that tarballs are mirrored, there should be some infra to mirror SCM repos. Notes: - I was in the process of starting to work on tooling that would verify release tarballs vs. SCM repo contents, but I was thinking that maybe the energy would be better spent on a more radical solution. - I can help. - I think OpenEmbedded/Yocto repos are going towards use of SCM sources. The recipes are systematically and directly using commit hashes, which may not be super elegant compared to specifying a tag and having a separate manifest. Yocto 4.1 has a github-releases eclass ; see also UPSTREAM_CHECK_* Best regards, Reproducible: Always
This sounds good in principle, but it's probably unworkable with the current state of things. People already frequently complain about the size of downloads in Gentoo compared to binary distros. The linux-6.8 tarball for instance is 142MB in my distdir, while a `git clone --bare --depth=1 file:///usr/src/linux/` consumes close to twice that both on disk and network, and that's after mediocre runtime zlib compression. And unless you convince the entire world to switch to Fossil or something, you've created a SHA1 monoculture. In the context of trying to make things *more* secure that seems like a bad idea. I think a system that compares upstream tarballs to SCM and calls out any discrepancies would be of value, though.
There's really nobody for me to assign this bug to, so I am closing it. This would be be better handled as a project outside of Bugzilla.
