My version of this question: what's the new hotness in protecting against any malicious dynamic code changes (including auto-updated code, which of course is a baseline security practice now), on any platform? E.g. is anyone really verifying Signal's reproducible builds...?
Right, but because you have to trust the vendor anyway, they don't need to make the source/seeds public. For example, they could hire an auditor to verify and you can trust them that they're telling the truth, and you get the same benefit?
-
-
I feel like I have missed a few hours of discussion. How does hiring an auditor equal not having to trust their build infra is not compromised?
-
(perhaps I misunderstand the current state of the discussion?)
- 15 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
