|
|
|
|
|
|
by dane-pgp
2053 days ago
|
|
|
For what it's worth, Debian's gnupg2 package builds reproducibly[0]. That doesn't mean that the Debian-specific patches[1] have necessarily been widely audited though, even if the upstream code itself has enough eyes on it. Also it's not exactly clear how an end user would discover that the Debian package they installed had a different checksum from the version that was reproducibly built, or if sufficiently independent teams are re-creating these checksums and have a way of notifying people of discrepancies. [0] https://tests.reproducible-builds.org/debian/rb-pkg/unstable... [1] https://sources.debian.org/src/gnupg2/2.2.20-1/debian/patche... |
|
|