Yes, but that only makes sense if you trust the person who provided the source code (because if you don't trust them, there could be a bugdoor). So another way to verify that would be codesigning, or hosting the binary on a https server, right?
-
-
Vendors are not uniform spheres. I can assign different levels of trust to different things they do. Reproducible builds solve real problems I (and others) have observed with vendor development practices. There's a pretty good explanation here: https://github.com/opencomputeproject/Security/blob/master/SecureFirmwareDevelopmentBestPractices.md …
-
For example, you might trust a vendor to not provide you malicious software, but not trust they're not maliciously lying about how they produced that software? Can you see why I think that's a weak argument?
- 7 more replies
New conversation -
-
-
The only explanation would be you don't trust them, so then why would reproducible builds help?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
