Provenance of binaries / reproducibility #4
Comments
|
Hi Mark, All good points. I've updated the binary packages section to indicate the origin of the packages used by my latest build of kWSL, which is now tracking with KDE Neon. I'll work on tidying-up the xRDP repack but this should go a long way towards being able to reproduce binaries on your own. |
|
What about the xrdp-egfx now? I read something in comments of the official repository and I think the egfx stuff has been merged in development branch, but I am not sure. What do you think? |
|
Yes I believe H.264 was recently merged into devel. When I have time I may take a crack at creating Debian/Ubuntu packages. |
|
Thank you, in the meantime I keep on using your 0.9.19 package, it works well on my windows 11 wsl2 kde installation. But I was wondering if the official xrdp now could work better... |
Recommending that users clone the repo to have control over its content is not bad, but a security-conscious user should also care about any opaque files, such as packages or binaries. So:
Why are these files necessary?
Where do they come from?
How would one rebuild them?
Ideally we'd be able to do a reproducible build, producing byte-for-byte identical files, but setting that up is likely a lot of work.
The text was updated successfully, but these errors were encountered: