key compromise in the absence of universal codesigning transparency has a silent failure mode. deterministic builds can help alleviate that.
You don't need a code signature if you built it from source. You already know the binary came from the source code you have to trust anyway?
-
-
OK, in which fantasy world (your wording used so far against me, so I'll allow myself the usage of this term, although I find the tone inappropriate) can a user do the chromium build on their Allwinner CPU smart phone?
-
You're confused. Halvar already wants to build the package, and is obviously capable of running dpkg-buildpackage. The difference is I'm saying he should install his .deb, he's saying he wants the vendor to invest in reproducible builds so he can checksums.
- 3 more replies
New conversation -
-
-
So your argument is: Distribution of precompiled binaries is the issue; source code distribution and decentralized build solves it? I will not argue against that It is *a* solution. Now...
-
Yes, I suppose. I think a lot of people are enamored with it because they think it protects against malicious vendors, but that's not true. It *could* protect against compromised build infra, but we have better solutions already!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.