Maybe, but you *have* to trust the vendor anyway, and if you don't trust them to tell the truth that they're checking the build server, then you can't trust them not to insert bugdoors... right? 
I'm saying: open source is good, having bit-for-bit reproducible builds is worthless. I think you're saying "It's reproducible builds or binaries only", but why.... can't we just have the source?
-
-
Well, what about opaque distribution platforms like app stores? I see a use case for "how does Signal prove to users who download via the app store that the binary is built from source," no? (Assuming you trust all app store users get the same binary...)
-
Those platforms are not designed for that, e.g. on android you would have to install them first. Then why not just use the binaries you built? If you have two devices and *assume* both got the same binary, but then why not *assume* the build is the same and not check?
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.