DesktopECHO / kWSL

KDE Neon 6.0 installer for WSL1 or WSL2.
168 stars 47 forks source link

Provenance of binaries / reproducibility #4

Open mpictor opened 4 years ago

mpictor commented 4 years ago

Recommending that users clone the repo to have control over its content is not bad, but a security-conscious user should also care about any opaque files, such as packages or binaries. So:

Why are these files necessary?

Where do they come from?

How would one rebuild them?

Ideally we'd be able to do a reproducible build, producing byte-for-byte identical files, but setting that up is likely a lot of work.

DesktopECHO commented 3 years ago

Hi Mark,

All good points. I've updated the binary packages section to indicate the origin of the packages used by my latest build of kWSL, which is now tracking with KDE Neon.

I'll work on tidying-up the xRDP repack but this should go a long way towards being able to reproduce binaries on your own.

harrier77 commented 4 months ago

What about the xrdp-egfx now? I read something in comments of the official repository and I think the egfx stuff has been merged in development branch, but I am not sure. What do you think?

DesktopECHO commented 4 months ago

Yes I believe H.264 was recently merged into devel. When I have time I may take a crack at creating Debian/Ubuntu packages.

harrier77 commented 4 months ago

Thank you, in the meantime I keep on using your 0.9.19 package, it works well on my windows 11 wsl2 kde installation. But I was wondering if the official xrdp now could work better...