Yes, but that only makes sense if you trust the person who provided the source code (because if you don't trust them, there could be a bugdoor). So another way to verify that would be codesigning, or hosting the binary on a https server, right?
-
-
I think the key point is: Reproducible builds do not prevent backdoors.
-
I had some discussions about reproducible builds for security of Linux distros in recent times. It helps to ask where the compiler is actually bootstrapped from + Ken Thompson..
- 10 more replies
New conversation -
-
-
I live (professionally) in a threat model where insider compromise of build infrastructure is a serious concern. My threat model is not your threat model, and vice versa. So, yes, reproducible builds are a useful tool for me.
-
Let's think about your threat model and see if reproducible builds are the solution. You have to produce two builds, the compromised one, and the trusted one, correct? Can you fill in some blanks, like why can't you just use the trusted one, and why can't both be compromised?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
