Fwiw I see benefits in reproducible builds to answer the question "is the binary on my machine built from this source"?
I have no idea what that means. You verify the build matches, so you don't have to trust me that my build server was safe... so what, you still have to trust there are no bugdoors. That's the whole discussion.
-
-
"Build server" is a distraction. Repro builds are a process to ensure recipient has a way to build from source. If source is minor diff on top of existing FOSS vendor has no access to backdoor, only diff needs audit.
-
This is a really odd point. We both agree there are huge benefits to open source, right? But you're saying the binaries also also have to be reproducible, because maybe they're hiding some proprietary code in there? Um, can't you just verify there is no additional functionality?
- 28 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.