My version of this question: what's the new hotness in protecting against any malicious dynamic code changes (including auto-updated code, which of course is a baseline security practice now), on any platform? E.g. is anyone really verifying Signal's reproducible builds...?
-
-
Repeating myself (it's getting too late here, stopping now): I don't see it as a binary answer. Reproducible builds let me trust the vendor less, make backdoors harder (by which extent is of course very debatable), and cost little. It's a spectrum of probabilities, not yes/no.
-
Well, we definitely disagree, but I've already explained why
I think there's nothing else to add.
End of conversation
New conversation -
-
-
The theoretical benefits of reproducible builds are based on the theoretical benefits of open source. I don't think reality matches anything close to the hype. I don't think either does much to avoid trust in vendors/developers. I think both help making software better though.
-
It depends a lot on the project. It gets much less useful as the code size / complexity of the project increases. It's more useful if the project uses a simple type/memory safe language where there are far fewer subtle ways of horrible things happening so it's easier to check.
- 8 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

)