Marcus, you've invented a fantasy threat model and you're upset that I don't agree we should defend against it. You don't need reproducible builds, you need open source. So yes, please stop trying.
-
-
so i would disagree on this at least for me personally. i would def like to be able to rebuild debian packages deterministically from source & check that they are identical with public versions.
-
(i missed 95% of the discussion and am just randomly tseeting personal preferences at this point)
- 18 more replies
New conversation -
-
-
again, and again: I'm not proposing that. You are literally the only one doing that.
-
Dude. *How* will you verify the official apk matches the hash that your auditor says they checked? Literally give me the command.
- 13 more replies
New conversation -
-
-
Weird take,
@taviso - a popped Jenkins is as close to a hazing ritual as some things can get - large surface, shit plugins, bad updates, often open online Often owned, and where they often take long to notice Or is this excl. from defn. of "trusted vendor"?Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I never claimed that was the problem repro builds solves, although there are some particular chain-of-control flows where it solves related problems.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.