key compromise in the absence of universal codesigning transparency has a silent failure mode. deterministic builds can help alleviate that.
-
-
Replying to @halvarflake @taviso and
the reason i want this is also personal: If I was paid to pwn, gathering the worlds code signing keys would be a rather high item on my todo.
3 replies 1 retweet 10 likes -
Replying to @halvarflake @dEnergy_dTime and
That doesn't make sense though, the only way you can know is because you also built it - at which point you don't need the signed binaries! The code signing is only useful if you want to know the binaries were produced by a vendor you already trust.
1 reply 0 retweets 2 likes -
Replying to @taviso @dEnergy_dTime and
explain to me again how having built the binaries surfaces the use of compromised keys for the binaries on the repo?
1 reply 0 retweets 2 likes -
Replying to @halvarflake @dEnergy_dTime and
It doesn't matter - you *have* trusted binaries, you were going to build them anyway. Codesigning is only relevant for people who don't have trusted binaries, but do have a vendor they trust, right?
1 reply 0 retweets 2 likes -
Replying to @taviso @dEnergy_dTime and
I am not sure you are engaging with my argument. To repeat: I like deterministic builds because they may surface use of compromised signing keys. I don't think you get to decide that I should not care because I can build my own (trusted) binaries.
1 reply 1 retweet 14 likes -
Replying to @halvarflake @dEnergy_dTime and
We agree that you can check if a build server is compromised or not with reproducible builds. I'm not saying you can't enjoy doing that if you like, but I am saying there's no security benefit over just open source.
4 replies 0 retweets 1 like -
Replying to @taviso @halvarflake and
Reproducible builds help glue together software supply chain security - eg. how do you know which versions of dependencies are included, was it built from a two-party approved commit, etc.
1 reply 0 retweets 2 likes -
Replying to @mik235 @halvarflake and
Easy: You already have to build the software yourself in order to verify it reproduces, so then you use that build. Then it doesn't matter if they're bit-for-bit identical or not.
2 replies 0 retweets 1 like -
Replying to @taviso @halvarflake and
Sure, but you could also verify the signature on the Play Store version works with your build
1 reply 0 retweets 0 likes
You already have to build it, install it, adb pull it, disable auto updates... why not just adb install your build?
-
-
no, you don't. You keep claiming that, but it's really nonsense: rep build allow you to delegate trust.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.