StageX does reproducible builds, so they are signed independently and can also b... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		kaathewise 32 days ago \| parent \| context \| favorite \| on: Open source security at Astral StageX does reproducible builds, so they are signed independently and can also be verified locally. I don't think it applies to Astral, but it's useful for packages with a single maintainer or a vulnerable CI, where there is only one point of failure. But I also think it'd be nice if projects provided a first-party StageX build, like many do with a Dockerfile or a Nix flake.

RyanSquared 32 days ago [–]

Once we have better support for multiarch in stagex, since StageX is distributed as OCI images, you could just replace your existing Dockerfile bases with stagex.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact