If you think they might lie, then you can't trust them, and reproducible builds don't have any benefit (because of bugdoors).
It's clear to me, and I'm telling you it's a weak argument. If there's something that isn't clear in this thread, please file a reply
I think your threat model is confused, your decision about what you can trust and what you can't is arbitrary.
-
-
Like, you have to trust a vendor that the source code was created by their engineers in good faith. You accept that, but then say you can't trust them to tell you if they've verified their build server is compromised or not. That's just arbitrary?
-
We clearly have different experiences with vendor build practices.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.