You haven't answered the most important question. You have to build the code anyway, so why can't you just use the code *you* built? I'm asking because that's exactly what I do, and I want to know what the security threat to me is.
-
-
Trusting X to be competent and not to be conspiring with Y is not the same as trusting X to provide you binaries.
-
For example this is absolutely the case with X=Google. I trust Google security folks' analysis of third parties' software. I don't trust that binaries from Google don't contain buried functionality contrary to my interests and safety.
- 12 more replies
New conversation -
-
-
say I read through the signal app source code and build infra. It's sound. How can I tell the world that the app they are currently pulling from Google's app store is source-audited? Applies the same to Linux distros.
-
You can say "The source code and build infrastructure is safe"?
- 2 more replies
New conversation -
-
-
"Someone you trust needs to build the software." This is it exactly! Without reproducible builds, your statement is true. But with reproducible builds, it becomes possible to avoid needing to pick a single someone to trust to build the software.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.