App installer design: only source packages or reproducible builds
Gianguido Sorà
gianguidorama at gmail.com
Sat May 18 22:13:44 UTC 2013
Why not simply create source package too? It would be simple and speedy!
Il giorno 16/mag/2013, alle ore 19:08, Jos van den Oever
<jos at vandenoever.info> ha scritto:
> Hi all,
>
> An aspect of the package format which has not been brought up yet is the reproducibility of the builds.
>
> The availability of the source of a package implies that a user can create the binaries from the source. However in practice, it is rarely that case that running the build command that makes a binary package from a source package results in a package with the same binary.
>
> This deficiency means that reciever of the software does not have the freedom to study how the program works, because it is very hard or nearly impossible to verify that provided binary was obtained by compiling the provided source code.
>
> There are two solutions to this problem:
> 1) only ship source code and let the user compile
> 2) make sure that the process to turn the source code into a binary is as predictable as 1 + 1 = 2.
>
> Is it a goal of the app installer and package format to let the recievers of the software enjoy the freedom to study the how the program works?
>
> Best regards,
> Jos
>
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
More information about the ubuntu-devel
mailing list