And since I can't see any real harm with reproducible builds (besides the work it takes to set up in the first place) - i.e. no runtime overhead etc - I don't see the usual discussion of cost of mitigation measures to factor in much in this debate. So, why not build reproducibly?
Let's explore this threat model you're trying to solve: You're using the Play Store and you trust all the platform binaries, you also trust the vendor, but you think their build is compromised. You can't sideload, so how do you get the App Store binaries to check?
-
-
You keep circling around to assuming things I'm not assuming. Twitter is probably not a viable medium for this conversation because there's too much hidden state in undiscoverable thread branches.
-
How do you get the binaries? The ones you're going to reproduce? I'm not assuming anything, I'm asking a question.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.