Deterministic Build Blockchain

What about using deterministic builds at the C/C++/Python library dependency level instead of at the

package level? Each dev in the group compiles the library dependencies one after another and produces a

hash which is then uploaded to a blockchain. The hashes of these deterministically built libraries are

compared by the blockchain. Users can check this blockchain to verify the individual library dependencies

which make up the packages have been deterministically built by multiple devs. This hash could even

be signed with the dev’s public key.

This would also make it easier to verify which C library dependencies are included for hardening purposes

ex. muslc, libreSSL, Wayland, etc.

@huaopeng I see you’re really interested in reproducible builds, but I’d have to ask that you focus your efforts. You’ve opened (3+ topics on the subject recently). All with very little traction – maybe because you’re not focusing your efforts on one discussion.

This one in particular is in nothing specific to Qubes OS. Also developement-discussions are more likely to be seen by developers on the qubes-devel mailing list.

5 Likes