I want to add a new "Common Problems" page with a nested structure.
We have just one FAQ, and I don't think we'll want to add more, so let's
drop this separate page for now. We can always add it back later if it
turns out that we indeed have some common questions for which we don't
have a better place for the answers.
As the correction might be out of scope for this specific page, I only
leave it in this message. Some of this should probably be added to the
reproducible-builds.org documentation.
It is better to concentrate on security arguments using reproducible
builds, instead of security of build infrastructure, as the earlier is
more general and stronger than the later.
My understanding is that the trust argument for Debian compared to
Fedora is more scientific and for a higher level. But lets concentrate
on how we can improve both.
For sources availability and integrity are relevant.
For availability, it is a good idea to be able to mirror the sources for
a whole distribution. While history is not a direct concern of
reproducible builds, it is important for the security arguments it
enables and security review in general. With Git in default
configuration it is easy to have history be overwritten by a fetch from
a remote and thus it would later be also locally garbage collected.
https://gitlab.com/JanZerebecki/git-backup is a prototype on how to deal
with that.
For integrity signing git commits are usefully, but need to be much more
automated. Often even important repos lack a basic level of signatures
by the authors (see e.g. the Fedora or openSUSE kernel package). But
even where signatures exits the necessary meta data is not discoverable.
https://gitlab.com/source-security/git-verify is a prototype that shows
how verification and creation of commit signatures can be enabled by
default.
