That doesn't make sense though, the only way you can know is because you also built it - at which point you don't need the signed binaries! The code signing is only useful if you want to know the binaries were produced by a vendor you already trust.
-
-
Replying to @taviso @dEnergy_dTime and
explain to me again how having built the binaries surfaces the use of compromised keys for the binaries on the repo?
1 reply 0 retweets 2 likes -
Replying to @halvarflake @dEnergy_dTime and
It doesn't matter - you *have* trusted binaries, you were going to build them anyway. Codesigning is only relevant for people who don't have trusted binaries, but do have a vendor they trust, right?
1 reply 0 retweets 2 likes -
Replying to @taviso @dEnergy_dTime and
I am not sure you are engaging with my argument. To repeat: I like deterministic builds because they may surface use of compromised signing keys. I don't think you get to decide that I should not care because I can build my own (trusted) binaries.
1 reply 1 retweet 14 likes -
Replying to @halvarflake @dEnergy_dTime and
We agree that you can check if a build server is compromised or not with reproducible builds. I'm not saying you can't enjoy doing that if you like, but I am saying there's no security benefit over just open source.
4 replies 0 retweets 1 like -
Replying to @taviso @dEnergy_dTime and
You can say that if you like, but you have just defined “possibility to surface signing key abuse” as “no security benefit over open source”. I will concede this if I get copies of all debian package signing keys & passphrases in return.
1 reply 0 retweets 6 likes -
Replying to @halvarflake @dEnergy_dTime and
No, I am saying there is no security benefit to *reproducible builds* over open source. There is benefit to avoiding compromised code signing keys, but you *can already* do that with open source. Therefore, "reproducible builds have no security benefit over open source".
3 replies 0 retweets 3 likes -
Replying to @taviso @dEnergy_dTime and
How is compromised code signing key abuse mitigated currently?
1 reply 0 retweets 0 likes -
Replying to @halvarflake @dEnergy_dTime and
You don't need a code signature if you built it from source. You already know the binary came from the source code you have to trust anyway?
2 replies 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
So your argument is: Distribution of precompiled binaries is the issue; source code distribution and decentralized build solves it? I will not argue against that It is *a* solution. Now...
2 replies 0 retweets 4 likes
Yes, I suppose. I think a lot of people are enamored with it because they think it protects against malicious vendors, but that's not true. It *could* protect against compromised build infra, but we have better solutions already!
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.