Binary Distribution Rebuilds

(blog.josefsson.org)

30 points JNRowe | 2 comments | 31 Mar 25 12:22 UTC | HN request time: 0.65s | source

Show context

lrvick ◴[04 Apr 25 09:42 UTC] No.43580022[source]▶

>>43534143 (OP) #

As an alternative to Guix with a much more strict supply chain security policy, consider: https://stagex.tools/

replies(1): >>43586217 #

1. yjftsjthsd-h ◴[04 Apr 25 18:38 UTC] No.43586217[source]▶

>>43580022 #

Thanks, that's really cool. Have you used this? Does it work well and are there pain points to look out for? A necessarily hosted system strikes me as not exactly covering a full Trusting Trust situation (because the host can compromise it) but it otherwise looks really solid at a glance.

replies(1): >>43590910 #

2. lrvick ◴[05 Apr 25 05:05 UTC] No.43590910[source]▶

>>43586217 (TP) #

I use it for all my projects at several orgs, with several languages. I am the founding engineer of the project so I am likely a bit biased on ideal developer UX though.

Just drop a Containerfile in your project with pinned hashes of all dependencies and you will likely get deterministic results of your own software basically for free.

Here are some standalone projects that are built deterministically with stagex:

- https://codeberg.org/stagex/repros

- https://git.distrust.co/public/airgap

- https://git.distrust.co/public/enclaveos

- https://github.com/tkhq/quorumos

- https://github.com/siderolabs/toolchain/blob/main/Pkgfile#L5...

- https://github.com/MystenLabs/sui/blob/main/docker/sui-node-...

- https://github.com/tkhq/tkcli/blob/main/src/Dockerfile

↑