I've been long fascinated by the rolling release model. But aren't you guys worried about supply chain attacks? Seems those on the bleeding edge serve as canaries in the coalmine for the rest of us.
That's the purpose of reproducible build initiatives like TFA. The idea is to ensure that identical source produces bit-for-bit identical builds on multiple machines when the packages are built.
Sure, if the source itself gets got, then it does nothing. But it at least puts up one more barrier against tampering with the artifacts.
Sure, if the source itself gets got, then it does nothing. But it at least puts up one more barrier against tampering with the artifacts.
They have a tracker for what percent of the distro is reproducible: https://reproducible.archlinux.org/