[azkalam]

Reproducible builds reduce the need for trusted parties.

Have many organizations produce the binaries independently and post the arifacts.

Once n of m parties agree on the arifact hash, take that as the trusted build.

If every party reaches a different hash then we cannot build consensus.

[sgc]

To move away from organizational dependence, there should be an installable project for debian where I can dedicate some configurable small percentage of my compute when idle to reproducibly building debian components to make a robust verification system, starting with the most critical code.

Obviously, it would be a ton of work to make such a system resistant to gaming by malicious actors (see GNU Guix for useful efforts), but it would provide valuable diversity in architecture and (political or other) control.

It would be even cooler if we could have independent projects that could run on various distros and OS, and build packages for any of them. Having packages for bsd verified on linux and vice-versa with statistical logging (this code has been verified x times on y OSes) would be reassuring.

[PunchyHamster]

I think that project is called Ubuntu.

[sgc]

I don't know of anything Ubuntu is doing that is significantly beyond what Debian is doing in this regard, nor that they have a distributed reproduction system set up???

[saghm]

Building Ubuntu does not produce identical binaries to Debian, so no, that's not what they're asking for