Someone you trust needs to build the software. I'm saying, why not get the binaries from them - that system works today, it's how Linux distributions work.
-
-
Reproducibility is important. Source code A leading to binary B through a reproducible build guarantees what you see (source) is what you get (the binary from the vendor). What is not clear here?
-
The only way to verify that untrusted binary B is from trusted source code A is that it matches trusted binary C. If C is trusted, why can't you just use that? What is not clear about that?
- 2 more replies
New conversation -
-
-
There is a large overlap between the reasons repro builds are important and the reason publishing source is important, because repro-builds is a strict subset (axioms a strict superset) of published-source. It's a methodology to make the published source meaningful.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
