There might be non-security benefits of reproducible builds to *vendors*, but I don't see any benefit to users of being able to reproduce them. This is just because promising there's no backdoors make no sense when bugdoors are just so perfect?
If you read the tweet above, I explained why that isn't the case. If you have a counterargument, you have to make it 
-
-
Getting an attestation from a 3rd party is the opposite of trusting the vendor though. And how does a trusted 3rd party make that attestation if not via reproducible builds?
-
You *have* to trust the vendor, there's no way around that. The point is, if you trust them, then why would you think they're lying when they say an auditor verified their build infrastructure wasn't compromised?
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.