Stop conflating "open source" and "reproducible builds", it's infuriating!
Well, reproducible builds work like this: I give you a source tarball that you *have* to trust (if you don't there might be bugdoors), and a binary that might be tainted. You rebuild the binary, and verify it's bit-for-bit identical, therefore not tainted.
-
-
You now have two bit-for-bit identical binaries, one you trust and one you don't and therefore know they're both safe. I'm saying, who cares about the vendor supplied one? Just use the one you built, and it doesn't matter if it was reproducible or not.
-
Sorry, I don't see how that helps in stopping a compromised build server from distributing compromised binaries undetected. What am I missing?
- 12 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.