You can prove the build server isn't compromised, but you can't prove you're not trying to hide a backdoor, right? So users still have to trust you, and you could get the same benefit from getting a third party to privately repro the build for you...
-
-
If you think they might lie, then you can't trust them, and reproducible builds don't have any benefit (because of bugdoors).
-
Reproducable builds are a supply-chain control, not a quality control. They don't fix the garbage in, garbage out problem. But verifying that the garbage I'm receiving is in fact exactly the garbage the vendor produced still has value.
- 12 more replies
New conversation -
-
-
But in a cloudy CI/CD world of building native on windows.. Wygd build it on amazon? You're left with the same question surely? You've gotta sign it with something that's audited/FOSS, then maybe static analysis tools can help you out.. And trust the vendors of the tools..
-
(Like
@halvarflake I'm still catching up)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.