Trisquel recompiles (aka rebuilds) all the packages from source on Trisquel servers. You can tell this because all the packages are signed with just the Trisquel key and 'apt-key list' only has the Trisquel key showing.

Yes Trisquel has to trust that upstream hasn't put anything in the publicly available source. But that also means it's checkable, which anyone so concerned is welcome to do.

Reply via email to