Reproducable builds are a supply-chain control, not a quality control. They don't fix the garbage in, garbage out problem. But verifying that the garbage I'm receiving is in fact exactly the garbage the vendor produced still has value.
Like, you have to trust a vendor that the source code was created by their engineers in good faith. You accept that, but then say you can't trust them to tell you if they've verified their build server is compromised or not. That's just arbitrary?
-
-
We clearly have different experiences with vendor build practices.
-
Are you saying I think vendors have good quality builds? I don't think that, and don't see what difference it would make if I did.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
