Current package distribution security is based on cryptographic
signatures. We propose to extend the current release file
signature mechanism with an architecture offering protection against
targeted backdoors by a compromised archive.
This project introduces a Merkle tree-based transparency log for package meta data
and source code, similar to certificate transparency. In our system,
the APT client verifies that it installs the same binary package as
everybody else. Utilising reproducible builds, we further ensure
that the source code and buildinfo corresponding to that binary can
be retrieved.
We explain parts of our prototype and show the results of replaying two years of Debian updates.