orbit
orbit copied to clipboard
Reproducible builds
I see that orbit is moving to Circle CI automatically publishing release artifacts. Are builds reproducible, or is there any other way to establish trust with these builds?
Right now they're not. Ideas how to do this, ideally with CircleCI, would be highly appreciated @lgierth.
My implicit concern is that we should not advertise releases that were built on untrusted third-party machines without a way of verifying their integrity
:+1: I think it's something we can have a chat about when it comes to general artifacts produced by IPFS projects. Would be good to have a process on how we can do the builds and how to verify them.