Cool, so in practice you *can* have source code without reproducible builds? Then why do you need them to be bit-for-bit identical? I think you're struggling to justify a threat model that doesn't make sense. 
I see, so the threat model that means everyone should be using repro builds is: An android user that is willing to violate the terms of usage, can build their own application, but can't sideload so they can use the build they trust, for some reason? Correct?
-
-
no, a security expert that gets the source code of an application to verify his organization should, in fact, use e.g. that e2e crypto messenger, does a build, build matches what's on app store, expert says "is OK", admins/users deploy/install now officially trusted software.
-
honestly, I'm a bit confused why you still think the end user would need to build the software. If you know what the binary should look like, you can delegate trust.
- 15 more replies
New conversation -
-
-
I love how you're defending ToS that explicitly harm the user's security...
-
Don't make that the hill you die on. If you really object to ToS violation for this purpose, fetch with real Play Store onto a burner.
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.