I'll verify it on 1 host. Verify the binary checksum. Use the binary on the other 100.
-
-
You said you don't "have an in-house build". So I guess you do now, then why can't you distribute that build? That doesn't require reproducible builds, and has the same security benefits.
2 replies 0 retweets 1 like -
how do you know the in house build server is ok?
1 reply 0 retweets 1 like -
how do you know anything isn't compromised? Are we going to discuss "reflections on trusting trust", or are we going to talk about reproducible builds?
2 replies 0 retweets 3 likes -
Replying to @taviso
I'd actually be interested if you're also disagreeing with David A. Wheelers thesis on countering trusting trust (especially sec. 4.6, 6, 8.8 & 8.9), which makes use of reproducible builds: https://dwheeler.com/trusting-trust/ It also considers compromise of build env other than the compiler.
1 reply 0 retweets 0 likes -
Replying to @jix_
The only claim i'm disagreeing with is that build reproducibility prevents backdoors. People are claiming that it can detect tainted output from *trusted* but compromised build infra, and they're correct. I'm saying that you can already do that today.
2 replies 0 retweets 1 like -
The play store? Android only right?
1 reply 0 retweets 0 likes -
I can't parse that tweet sorry.
1 reply 0 retweets 0 likes -
Responding to "People are claiming that it can detect tainted output from *trusted* but compromised build infra, and they're correct. I'm saying that you can already do that today." I saw "use the play store" as your response. Did I miss another solution of yours?
2 replies 0 retweets 0 likes -
You know what, don't bother replying. We disagree, your mind is made up, and let's just part here.
1 reply 0 retweets 0 likes
I think you're confusing me for someone else 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.