tools , which allows you to organize an independent check of the distribution's binary packages by deploying a continuously running build process that checks the downloaded packages with the packages obtained as a result of rebuilding on the local system. The toolkit is written in Rust and distributed under the GPLv3 license.
Currently only experimental support for package verification from Arch Linux is available in rebuilderd, but they promise to add support for Debian soon. In the simplest case, to run rebuilderd install the rebuilderd package from the regular repository, import the GPG key to check the environment and activate the corresponding system service. It is possible to deploy a network of multiple instances of rebuilderd.
The service monitors the state of the package index and automatically starts rebuilding new packages in the reference environment, the state of which is synchronized with the settings of the main Arch Linux build environment. When rebuilding, such nuances as the exact match of dependencies, the use of the same composition and versions of the assembly toolkit, the identical set of options and default settings, the preservation of the file assembly order (using the same sorting methods) are taken into account. The build process settings prevent the compiler from adding non-permanent service information, such as random values, references to file paths, and build date and time data.
Currently repeatable builds for 84.1% of packages from the core Arch Linux repository, 83.8% from the extras repository, and 76.9% from the community repository. For comparison, in Debian 10 this indicator 94.1%. Repeatable builds are an important security feature, as they give any user the opportunity to make sure that the builds offered by the distribution of byte-for-byte packages match the builds personally built from source. Without the ability to check the identity of a binary assembly, the user can only blindly trust someone else's assembly infrastructure, compromising the compiler or assembly tools in which can lead to the substitution of hidden bookmarks.
Source: opennet.ru