I answered all of that. We can't use the binary we built, because we are not the end user, who depends on our audit, nor the vendor, with the power to upload a binary. 1/n
Yes but *why*? You're already building them and you already trust the developer, why does it matter? It seems like just being open source is enough.
-
-
because in a scenario where the dev may have had his signing keys compromised, and someone has compromised the bin repo, i have a chance of knowing. it goes back to "I want to be able to establish that a given binary was built from a given source snapshot".
-
key compromise in the absence of universal codesigning transparency has a silent failure mode. deterministic builds can help alleviate that.
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.