Comment 7 for bug 1979844

I am grateful to the the Launchpad team for taking this request seriously and responding so quickly. Thank you, Colin, for your merge proposal. I think your suggested changes solve the problem.

Technical users can find the link to the build status page in the Snap manifest file. The new information on the status page will let them verify that Launchpad built the installed Snap revision and uploaded it to the Snap Store. In addition, they will be able to use the SHA-512 hash value in the build log to verify that the Snap package mounted on their system is identical to the one built by Launchpad.

Eventually, I'd like to see us go one step further and allow for verified reproducible builds of Snap packages created by Launchpad. Users could then build a package locally and verify it as follows:

$ git clone https://github.com/jgneff/openjdk.git
$ cd openjdk
$ snapcraft
$ sha512sum openjdk_20+3_amd64.snap

Comparing the local checksum with the one logged by Launchpad would give us the ability to detect advanced supply-chain attacks against Launchpad itself, and quickly, too! For more information, see:

Preventing Supply Chain Attacks like SolarWinds
https://www.linuxfoundation.org/blog/preventing-supply-chain-attacks-like-solarwinds/

Right now, that checksum comparison fails due to just four lines in the manifest file and the timestamps in the SquashFS archive. See my comments #6 and #7 in this bug report for more information:

Bug #1890046 "Handle SOURCE_DATE_EPOCH for SquashFS"
https://bugs.launchpad.net/snapcraft/+bug/1890046