tools , which allows you to organize an independent check of the distribution's binary packages by deploying a continuously running build process that checks the downloaded packages with the packages obtained as a result of rebuilding on the local system. The toolkit is written in Rust and distributed under the GPLv3 license.
Currently, only experimental support for verifying Arch packages is available in rebuilderd. Linux, but they promise to add support soon DebianIn the simplest case, to run rebuilderd install the rebuilderd package from the regular repository, import the GPG key to check the environment and activate the corresponding system service. It is possible to deploy a network of multiple instances of rebuilderd.
The service monitors the state of the package index and automatically starts rebuilding new packages in a reference environment, the state of which is synchronized with the settings of the main Arch build environment. LinuxDuring rebuilding, such nuances as precise dependency matching, use of the same build tools and versions, an identical set of default options and settings, and preservation of the build order (using the same sorting methods) are taken into account. Build process settings prevent the compiler from adding volatile service information, such as random values, file path references, and build date and time data.
Currently repeatable builds for 84.1% of packages from the Arch core repository Linux, 83.8% from the extras repository and 76.9% from the community repository. For comparison, in Debian 10 this indicator 94.1%. Repeatable builds are an important security feature, as they give any user the opportunity to make sure that the builds offered by the distribution of byte-for-byte packages match the builds personally built from source. Without the ability to check the identity of a binary assembly, the user can only blindly trust someone else's assembly infrastructure, compromising the compiler or assembly tools in which can lead to the substitution of hidden bookmarks.
Source: opennet.ru
