Reading stuff around xz backdoor saga, i came to realization that to prevent some of that stuff there were such initiatives a long time ago, which has worked to verify binaries are corresponding to source code.
What i didn’t realize before, that there are already successful whole OS packages reproducible builds and preparations for verification tools for normal users.
Reproducible builds guarantee that the package maintainer did not inject his own malware into the package when building it. This is the least concern, because Arch TUs are, by definition, trusted users. You and I, and everyone here, obviously trusts them unconditionally, otherwise we wouldn’t be using Arch. They have the power to screw us, and if they decide to do so, we are screwed. No question about that.
Anyone who doubts them and continues to use their packages is clearly in contradiction and should immediately stop, and probably use Gentoo.
Consequently, they only get one change, if malware is found in Arch repos and it is proven to be deliberately injected there by some TU, the only rational thing is to stop using Arch.
The problem with malware in FOSS is clearly not enough code review, reproducible builds won’t fix that.
Reproducible builds would be nice for binary distributed AUR packages, though, for stuff that takes hours to build, like LibreWolf. For such big packages, however, reproducibility is just a dream.
Well thx buddy, yes i’m schizo because i do NOT trust anyone, but not quite ready to use Gentoo just yet
Every distro TU have missed xz, and just some M$ dev benchmark autist accidentally catched it…yeah
There’s no such thing as trusted, in my view.
Anyone can be a malicious actor, even if it’s very long time persistent to gain trust…and nobody in universe can really audit all the source code on it’s own, be it Gentoo user or super-h4xXx0r…
Not really, if you look at packages stats of Arch above…if Chromium is reproducible, there’s no reason Firefox / LibreWolf wouldn’t in the near future.