Reproducible builds, with publicly visible logs for them. #28
Assignees
Labels
enhancement
New feature or request
Comments
|
created templates which contained automation: but no-one wanted to to use them |
|
As highlighted by Kim in the original issue, repository templates adoption is complicated. Most developers has already created their repo and CI before discovering that studiorack / open-audio / owlplug exists. Maybe we can provide a Github Action to automate PR creation with a manifest after a plugin release. So external developers can integrate this step in their workflow. It's probably a good extended use case for #15 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
studiorack/studiorack-registry#19
when manually looking at the forked repo of adlplug https://github.com/studiorack/adlplug there are no commits related to the build of the project, just a release, so again I dont see a way to verify the build is a good one or malicious
the lack of transparency regarding the origin of the builds/binaries is a big red flag. you are basically incentivizing users to download and run random binaries that they have no way to verify to not be malicious.
we need reproducible builds, with publicly visible logs for them.
DISTRHO/Cardinal#653
The text was updated successfully, but these errors were encountered: