I don't see how a supply chain attack is relevant. I think reproducible builds prove your build server isn't compromised and nothing else, it doesn't reduce the need to trust the vendor. As you already trust the vendor, what's wrong with codesigning or similar?
Besides, people are arguing for reproducible builds *everywhere*, not for these niche fantasy threat models. I really think the reality is, they're a solution looking for a problem. 
-
-
I tend to agree. My only point was that they may have a (niche) use to allow third party verification of build origins. I’m not sure that’s feasible on any platform *today*, but it’s something you *could* build.
-
You could re-design those platforms so that it made sense, but at that point, why not redesign them to make sideloading easier and just use your own binaries... You have to build things anyway to get the benefit of reproducible builds!
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.