A tale of several distros joining forces for a common goal: reproducible builds

1. yek

   1 7 1,755 9.8 Rust

   A fast Rust based tool to serialize text-based files in a repository or directory for LLM consumption

   

   20 years ago I was a Linux user and was going through all of the pains of using apps on Linux.

   This month I was building a simple CLI app[1] and decided to publish it for Linux too. To this day it's a mess. You have to build for a few targets and it's still not clear to me if I'm covering all Linux users?

   Why is it such an impossible task to make it possible for Linux users to download and use apps like Windows and Mac?

   [1] https://github.com/bodo-run/yek/

2. Nutrient

   www.nutrient.io featured

   Nutrient – The #1 PDF SDK Library, trusted by 10K+ developers. Other PDF SDKs promise a lot - then break. Laggy scrolling, poor mobile UX, tons of bugs, and lack of support cost you endless frustrations. Nutrient’s SDK handles billion-page workloads - so you don’t have to debug PDFs. Used by ~1 billion end users in more than 150 different countries.

   

3. cargo-crev

   2 57 2,170 7.3 Rust

   A cryptographically verifiable code review system for the cargo (Rust) package manager.

   

   It unfortunately doesn't help in cases like this. Reproducible Builds gives you a trusted path from source to binary, but it doesn't help with backdoors in the source code/build instructions.

   For that we'd need some sort of source code reviewing effort like https://github.com/crev-dev/cargo-crev implements. I've started whatsrc.org to keep track of the source code inputs we're putting into our computers (that would benefit from reviews), but the conclusion is also somewhat "it's too much".

4. zig

   3 869 37,954 10.0 Zig

   General-purpose programming language and toolchain for maintaining robust, optimal, and reusable software.

   

   Regarding the reproducible bootstrapping problem, what is your project's policy on building from binary sources? For instance, Zig is written in zig and bootstraps from a binary wasm file which is translated to C: https://github.com/ziglang/zig/tree/master/stage1

   Golang has an even more complicated bootstrapping procedure requiring to build each successive version of the compiler to get to the most recent version.

5. spytrap-adb

   4 1 105 6.8 Rust

   Test a phone for stalkerware using adb and usb debugging to scan for suspicious apps and configuration

   

   I use repro-env to implement reproducible builds for my Github binaries and custom apt repository[1]:

     - https://github.com/spytrap-org/spytrap-adb/releases/tag/v0.3.3

6. sh4d0wup

   5 4 123 7.6 Rust

   Signing-key abuse and update exploitation framework

   

   - https://github.com/kpcyrd/sh4d0wup/releases/tag/v0.10.0

7. rshijack

   6 2 497 4.4 Rust

   TCP connection hijacker, Rust rewrite of shijack

   

   - https://github.com/kpcyrd/rshijack/releases/tag/v0.5.2

8. archlinux-userland-fs-cmp

   7 1 34 1.2 Rust

   Forensic tool to read all installed packages from a mounted Arch Linux drive and compare the filesystem to a trusted source

   

   - https://github.com/kpcyrd/archlinux-userland-fs-cmp/releases/tag/v0.1.0

9. CodeRabbit

   coderabbit.ai featured

   CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

   

10. repro-env

    8 1 38 5.9 Rust

    Dependency lockfiles for reproducible build environments 📦🔒

    

    - https://github.com/kpcyrd/repro-env/releases/tag/v0.4.1

11. apt-vulns-xyz

    9 1 3 7.0 Rust

    The source code for a reproducible apt repository

    

Suggest a related project