2022-02-17 · 1 min read
Independent verification system of binary packages.
What: rebuilderd is a build system that attempts to reproduce build artifacts. It compiles the source code in a similar build environment and compares it to the official pre-built artifacts. This helps identify supply-chain compromises. This website hosts a list of public instances publishing their results.
rebuilderd monitors the package repository of a linux distribution and uses rebuilder backends like archlinux-repro to verify the provided binary packages can be reproduced from the given source code.
It tracks the state of successfully verified packages and optionally generates a report of differences with diffoscope for debugging. Note that due to the early state of this technology a failed rebuild is more likely due to an undeterministic build process instead of a supply chain compromise, but if multiple rebuilders you trust report 100% reproducible for the set of packages you use you can be confident that the binaries on your system haven't been tampered with. People are encouraged to run their own rebuilders if they can afford to.