Fwiw I see benefits in reproducible builds to answer the question "is the binary on my machine built from this source"?
-
-
I think we all agree having source code is beneficial, and we all agree that providing build seeds and source to someone could let them check if your build infra was compromised (but says nothing about whether you're malicious or not).
-
I think the key point is: Reproducible builds do not prevent backdoors.
- 11 more replies
New conversation -
-
-
What's a better way to check if a trusted vendor had their build infra compromised? It may be a poor way, but it's likely the best available?
-
Oh, I'm just talking specifically about publishing build seeds and hoping some member of the public cares enough to check
It's totally reasonable to hire a third party, or to get two project members to verify the build reproduces.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
