And what does that have to do with a sensible approach to getting software that Matthew says they can trust onto the smart phones of a couple billion people, many who don't have any IT device but their phone?
Here is how to do it without reproducible builds: Matthew builds the binary he's audited, uploads it to the play store, then you download it. Works today, doesn't require any reproducible builds, doesn't require disabling updates. Done!
-
-
what if i don't know who to trust, so i want a version n people have signed off on instead of accepting Matthew as my SPOF?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Then Matthew has to take responsibility of being a distributor, and possibly being blamed as the one responsible for a bugdoor if it's present in his build. Matthew almost certainly does not want either of these things. See also:https://twitter.com/RichFelker/status/1264999387517923328 …
-
In your opinion, if openssl is bugdoored, will Debian be blamed? I've audited openssl and found some bugs, will I be blamed if I missed some?
- 3 more replies
New conversation -
-
-
Oh is the play store available for other than Android?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.