Trusting X to be competent and not to be conspiring with Y is not the same as trusting X to provide you binaries.
Nobody claims reproducible builds prevent backdoors, they definitely don't. People do (correctly) claim they prevent compromised build servers from producing tainted binaries. I'm saying you can do that *today*, *without* reproducible builds.
-
-
Did you describe how to do that instead? I couldn't find it, but it's hard to navigate these threads and I get the impression that whether there is a good alternative to using reproducible builds for this is a point of contention in this discussion.
-
Well, reproducible builds work like this: I give you a source tarball that you *have* to trust (if you don't there might be bugdoors), and a binary that might be tainted. You rebuild the binary, and verify it's bit-for-bit identical, therefore not tainted.
- 14 more replies
New conversation -
-
-
Curious, and this isn’t me being smug, but I’m assuming I’ve missed some important literature: how do you verify that?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.