I am not sure you are engaging with my argument. To repeat: I like deterministic builds because they may surface use of compromised signing keys. I don't think you get to decide that I should not care because I can build my own (trusted) binaries.
-
-
Replying to @halvarflake @dEnergy_dTime and
We agree that you can check if a build server is compromised or not with reproducible builds. I'm not saying you can't enjoy doing that if you like, but I am saying there's no security benefit over just open source.
4 replies 0 retweets 1 like -
Replying to @taviso @dEnergy_dTime and
You can say that if you like, but you have just defined “possibility to surface signing key abuse” as “no security benefit over open source”. I will concede this if I get copies of all debian package signing keys & passphrases in return.
1 reply 0 retweets 6 likes -
Replying to @halvarflake @dEnergy_dTime and
No, I am saying there is no security benefit to *reproducible builds* over open source. There is benefit to avoiding compromised code signing keys, but you *can already* do that with open source. Therefore, "reproducible builds have no security benefit over open source".
3 replies 0 retweets 3 likes -
Replying to @taviso @dEnergy_dTime and
How is compromised code signing key abuse mitigated currently?
1 reply 0 retweets 0 likes -
Replying to @halvarflake @dEnergy_dTime and
You don't need a code signature if you built it from source. You already know the binary came from the source code you have to trust anyway?
2 replies 0 retweets 0 likes -
Replying to @taviso @halvarflake and
OK, in which fantasy world (your wording used so far against me, so I'll allow myself the usage of this term, although I find the tone inappropriate) can a user do the chromium build on their Allwinner CPU smart phone?
1 reply 0 retweets 0 likes -
Replying to @dEnergy_dTime @halvarflake and
You're confused. Halvar already wants to build the package, and is obviously capable of running dpkg-buildpackage. The difference is I'm saying he should install his .deb, he's saying he wants the vendor to invest in reproducible builds so he can checksums.
1 reply 0 retweets 0 likes -
Replying to @taviso @dEnergy_dTime and
I want to be able to build the package, and I want one rebuild to be sufficient. But as far as I can tell, the last two days of Twitter tit-for-tat have sufficiently entrenched your position that you are currently fighting too many fronts to seriously consider my viewpoint. So...
2 replies 0 retweets 5 likes -
Replying to @halvarflake @taviso and
...since I only cared about a narrow subset of the thread, and since the timing for that narrow subthread is off, I will mute this conversation now. Happy to have a chat about this in email next week when everybody has cooled off to rationality again.
1 reply 0 retweets 3 likes
Marcus jumped into the thread with the unrelated question about "who can build chromium on their phone". I just tried my best to answer that bad faith question 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.