Marcus, you've invented a fantasy threat model and you're upset that I don't agree we should defend against it. You don't need reproducible builds, you need open source. So yes, please stop trying.
I don't know, walk me though the attack you're imagining. I think if you used my system, the tainted binary will never execute on your system, so it's irrelevant if it's compromised or not?
-
-
I'm just trying to follow your argument and I understood https://twitter.com/taviso/status/1265052138071195650 … in that you have an alternative to reproducible builds from stopping a compromised build server from distributing tainted binaries. So you disagree with the premise that that's a worthwhile goal?
-
If that's the case I'd refer to David A. Wheelers thesis (+ thesis website) for arguments why I think it is a worthwhile goal and better than just compiling locally. If I did misunderstand you, sorry, I'm probably too tired and should sleep instead.
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.