It's been a few days since I've received any hate mail from reproducible build fans, so I think it's time to stoke those flames. 🔥
Here are my thoughts on the topic, TL;DR: You don't need reproducible builds. blog.cmpxchg8b.com/2020/07/you-do
Conversation
If you extract some value from them, or even just like them because you feel like it improves your build, that is totally acceptable! My only complaint is when people claim it has security or trust benefits, I don't believe it does.
2
There is a trust+security benefit in being able to detect compromised build servers. Signing keys are best kept in a place where they can sign but not be leaked e.g. via HSM or obs-signd.
1
Show replies