rebuilderd is an independent verification system that ensures binary packages are reproducible from their source code to enhance supply chain security.
Independent verification of binary packages - Reproducible Builds
rebuilderd is used by Linux distribution maintainers and security-conscious users to verify that binary packages can be reliably rebuilt from their source code, ensuring no tampering or compromise in the software supply chain. It is particularly useful for distributions like Arch Linux, Debian, and Tails to automate reproducible build verification and generate detailed difference reports for debugging.
Due to the early state of reproducible build technology, failed rebuilds often result from non-deterministic build processes rather than supply chain compromises. Users are encouraged to run multiple trusted rebuilders for confidence. Some backends require specific host capabilities such as /dev/kvm or privileged container access, which may have security implications. Not all backends support running inside Docker containers.
Clone the repository from https://github.com/kpcyrd/rebuilderd
Install dependencies as specified in the development section (not detailed in README)
Run a rebuilderd instance using provided scripts or Docker-compose example
Configure rebuilderd to monitor the desired Linux distribution repository
Optionally set up the web frontend (rebuilderd-website) to view results in a browserrebuildctl pkgs ls
Lists packages and their verification status in the rebuilderd instance