Oh yes, if we could have such a cross-OS standard for signed metadata in a separate stream (detached), multiple signatures for reproducible builds would be much easier to accomplish.https://twitter.com/rootkovska/status/1053774418814607361 …
-
-
Replying to @rene_mobile
I’m not sure why the focus on cross-OS? Generally the signature scheme is coupled to the (per-OS) executable format/delivery mechanism/build artifact. Meaning you won’t inherently get cross-OS, you just explicitly deign to support multiple OSes.
2 replies 0 retweets 2 likes -
Replying to @sleevi_ @rene_mobile
One reason is that one could verify the same binaries on different platforms, e.g. as part of a forensics effort. So this is more about giving binaries a universally-verifiable "ID".
1 reply 0 retweets 0 likes -
Replying to @rootkovska @rene_mobile
Isn’t that like wishing for a universal executable format? If the executables can be reordered with the same semantic meaning, as they can on most platforms, it seems like it would defeat the goal unless there was such a format and/or per-OS+format knowledge
1 reply 0 retweets 1 like
I don't think it'd have to be bitwise-identical, but at least semantically standardized, so that the same kind of info was always included, rather than leaving this to app and/or OS vendors to decide what to include (just URL? just signature? etc).
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.