security · live integrity

repository status

An independent monitor re-verifies every published package against the signed manifest. This page shows its latest result. You do not have to trust it — every check below, you can run yourself.

system integrity
checking…
manifest signature
packages verified
coverage
signing keys
per-package
packageversionhashsignature

verify it yourself

The monitor is just one canary. Its honesty is not the point — the same verification is reproducible by anyone, against public artifacts, with a key you fetch from a separate system. Check any package directly:

# with cosign, against the bundle published next to the package cosign verify-blob --key cosign.pub \ --bundle PKG.x86_64.xbps.cosign.bundle PKG.x86_64.xbps
# or with the odyssey-challenge tool, which re-derives the whole chain odyssey-challenge verify PKG --pubkey cosign.pub

Take cosign.pub from the keys repository, not from the package server — so a compromise of one would have to defeat the other. keys repository →   how this works →

Security alerts. Odyssey users can opt in to email alerts from the Software Center — if this monitor ever reports a failure, subscribers are notified immediately. This page stays public to everyone; the alerts are a convenience for people running the system.