I see, so the threat model that means everyone should be using repro builds is: An android user that is willing to violate the terms of usage, can build their own application, but can't sideload so they can use the build they trust, for some reason? Correct?
-
-
The definition I work from requires it to be public (even if not licensed under an open source license) so that in principle anyone can reproduce it. Not just an escrow party who's incentivized not to disclose problems or risk no longer being accepted by vendor.
-
The point is, why can't you use the binary that you built? That would mean reproducible builds are worthless. Fine, building software is hard and you wanted someone else to reproduce it for you, but then why can't just the vendor and the auditor have the code?
- 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.