That doesn't make sense though, the only way you can know is because you also built it - at which point you don't need the signed binaries! The code signing is only useful if you want to know the binaries were produced by a vendor you already trust.
You're confused. Halvar already wants to build the package, and is obviously capable of running dpkg-buildpackage. The difference is I'm saying he should install his .deb, he's saying he wants the vendor to invest in reproducible builds so he can checksums.
-
-
I want to be able to build the package, and I want one rebuild to be sufficient. But as far as I can tell, the last two days of Twitter tit-for-tat have sufficiently entrenched your position that you are currently fighting too many fronts to seriously consider my viewpoint. So...
-
...since I only cared about a narrow subset of the thread, and since the timing for that narrow subthread is off, I will mute this conversation now. Happy to have a chat about this in email next week when everybody has cooled off to rationality again.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.