Open ghost opened 7 years ago
Right now they're not. Ideas how to do this, ideally with CircleCI, would be highly appreciated @lgierth.
My implicit concern is that we should not advertise releases that were built on untrusted third-party machines without a way of verifying their integrity
:+1: I think it's something we can have a chat about when it comes to general artifacts produced by IPFS projects. Would be good to have a process on how we can do the builds and how to verify them.
I see that orbit is moving to Circle CI automatically publishing release artifacts. Are builds reproducible, or is there any other way to establish trust with these builds?