Easy: You already have to build the software yourself in order to verify it reproduces, so then you use that build. Then it doesn't matter if they're bit-for-bit identical or not.
-
-
Responding to "People are claiming that it can detect tainted output from *trusted* but compromised build infra, and they're correct. I'm saying that you can already do that today." I saw "use the play store" as your response. Did I miss another solution of yours?
-
I still don't follow, I didn't say "use the play store", where are you getting that from?
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.