110 sats \ 3 replies \ @BlokchainB 9 Aug 2023 \ on: Why reproducibility matters | Foundation tech
It matters but the common person can’t do it.
We've made it pretty much copy and paste for many users with our new guide, but it's certainly a difficult barrier of entry for many to even open a CLI!
Definitely something we can improve on and continue to make easier for the masses, and until then sites like Wallet Scrutiny can help people make decisions based on reproducibility and/or compare their results.
reply
Not to be cynical but I looked at this
In order to build and verify the reproducibility of Passport firmware, you will need to: Get the source code Install the dependencies Docker Just Build the reproducible binaries Verify the binaries match the: Published build hash Release binary (with signatures stripped out) hash We’ll walk through every step above in this guide to ensure you can build and verify any version of Passport’s firmware easily.
So to do this you need docker and just. I’m just confused as things should be reproducible but depend on docker which I heard of and just which I have never heard of. I am assuming they are trusted software packages but can you do this rebuild without docker and just.
reply
This is the easy path to make it more accessible, and relying on Docker is absolutely standard and almost required in reproducible builds. Justfiles are simply human-readable scripts in the style of Bash scripting that reduce the amount of copy-pasting without obfuscating anything (we link to all the relevant Justfile lines in the guide).
If you want to do this as "from scratch" as possible, I'd recommend looking at the Wallet Scrutiny script we recently built to help them verify builds here:
That removes all reliance on Just.
reply