@alexstamos has a better list of Twitter handles (and thanks to all of the other folks who were involved, including the external counsel who suggested we use the phrase "as contemplated herein" multiple times and I almost did it)https://twitter.com/alexstamos/status/1263896949712814080 …
I think people generally agree now that reproducible builds don't prevent backdoors. That's good, but now they want to argue for other fuzzier benefits, so it's harder to follow that!
-
-
Oh, I never thought they _prevented_ backdoors, only that some of the easier vectors for introducing them are being mitigated. And that seems a good thing, especially in combination with my strong suspicion (only anecdata, though) that it helps code (or at least build) quality.
-
And since I can't see any real harm with reproducible builds (besides the work it takes to set up in the first place) - i.e. no runtime overhead etc - I don't see the usual discussion of cost of mitigation measures to factor in much in this debate. So, why not build reproducibly?
- 4 more replies
New conversation -
-
-
They don't prevent backdoors in the pristine source, it's outside of the scope. They do prevent backdoors in the supply chain of getting the package to you. This is especially relevant for distributions and where the vendor is the middle-man.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.


)