Trusting X to be competent and not to be conspiring with Y is not the same as trusting X to provide you binaries.
-
-
Replying to @RichFelker @taviso and
For example this is absolutely the case with X=Google. I trust Google security folks' analysis of third parties' software. I don't trust that binaries from Google don't contain buried functionality contrary to my interests and safety.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @dEnergy_dTime and
Stop conflating "open source" and "reproducible builds", it's infuriating!
2 replies 1 retweet 2 likes -
-
Replying to @RichFelker @dEnergy_dTime and
OK, so let's say foo.exe is not open source, but the build is internally reproducible. The vendor hires someone you have to trust already (Say Microsoft, who makes your OS), to reproduce the build and they sign a statement saying they did. Happy?
1 reply 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
I don't call that reproducible. And no, not happy.
1 reply 0 retweets 0 likes -
-
Replying to @taviso @dEnergy_dTime and
The definition I work from requires it to be public (even if not licensed under an open source license) so that in principle anyone can reproduce it. Not just an escrow party who's incentivized not to disclose problems or risk no longer being accepted by vendor.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @dEnergy_dTime and
The point is, why can't you use the binary that you built? That would mean reproducible builds are worthless. Fine, building software is hard and you wanted someone else to reproduce it for you, but then why can't just the vendor and the auditor have the code?
2 replies 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
Because the auditor can't be trusted if getting access to the code to audit it is contingent on maintaining a good relationship with the vendor. This is 101-level stuff, *sigh*
1 reply 0 retweets 0 likes
LOL. No relationship with the vendor is necessary, they're *your* customer. Keep grasping for those straws Rich.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.