It must be automated IMO.
If you can't "just build the binary", then how are you going to verify it matches? The whole idea here is the outputs have to be bit-for-bit identical right?
-
-
I'm saying: open source is good, having bit-for-bit reproducible builds is worthless. I think you're saying "It's reproducible builds or binaries only", but why.... can't we just have the source?
-
Well, what about opaque distribution platforms like app stores? I see a use case for "how does Signal prove to users who download via the app store that the binary is built from source," no? (Assuming you trust all app store users get the same binary...)
- 8 more replies
New conversation -
-
-
Are there any real world examples of reproducible builds revealing malice? Or maybe we assume nobody attacks the build infra of anyone building reproducibly because they know that rock keeps the elephants away? ;)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
