On Wed, Aug 14, 2024, at 9:21 AM, Felix Lechner wrote: > The serving someone else's substitutes could also arise more innocently, > for example via a technical misconfiguration or because of an incentive > system that rewards the contribution of substitutes.
Yes, indeed. And you may very well want such an incentive system, because having many people distribute substitutes in a P2P system is a natural way for people to contribute their own bandwidth. > Is it possible for someone to reliably attest that they individually > built a reproducible work product? I believe the needed variation in > inputs, like a hash, is incompatible with the goal of reproducability. I think it's possible if the signature is detached from the reproducible work product to be signed. For example, it's like the difference between an embedded and detached signature of a file signed by GPG. Distributing a detached signature alongside a file doesn't change the hash of the file that's been signed. Of course, you may not have built the build inputs yourself either - but those can be authenticated separately. (Recursion!)
