What’s the new hotness in protecting JS from being changed for one user?
-
-
To be clear, source analysis is useful to catch non-malicious vendors who make a mistake. If you're trying to determine if a vendor *is* malicious, src analysis provides no benefit, because there is no penalty for hiding a bugdoor....so how do repro builds help?
-
There are a lot of people involved in the build process. And a much smaller number of people involved in the development of specific portions of code. If you can isolate your security concerns to those areas (still aspirational) you can reduce your trusted dev base.
- 9 more replies
New conversation -
-
-
There's at least a higher degree of scrutiny after bugdoors and distrust in the "vendor". If the "vendor" is real FOSS and has a number of involved contributors, *they're* going to wonder too if the bugdoor was intentional and be extra vigilant.
-
Would they wonder? Major vendors ship advisories with dozens of backdoor-equivalent vulnerabilities every month, nobody ever asks if they were bugdoors or not. The reason is people have decided they trust that vendor, so reproducible builds wouldn't change that, right?
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
