You said you don't "have an in-house build". So I guess you do now, then why can't you distribute that build? That doesn't require reproducible builds, and has the same security benefits.
If I understand correctly, you are seriously concerned your vendors build server is compromised. You're concerned enough that you're willing to rebuild every package manually, but you draw the line at copying files around? Do you at least agree it's not a *strong* argument?
-
-
What you seem to be missing is the fact that users don't need to rebuild anything themselves in order to benefit from reproducible builds:https://twitter.com/wiretapped/status/1265026855121420289 …
-
What you seem to be missing is that you can get all the same security benefits *today* without having to spend millions developing new build systems. Do you agree we're just not seeing attackers produce tainted binaries from trusted but compromised build servers?
- 8 more replies
New conversation -
-
-
It's a non-sequitur for me. I don't see what distribution has to do with validation. Once the checksums match. I have no preference for mine; or the vendors' packaging.
-
The difference is you're asking for a lot of work, that could be easily solved today, equivalently, by you?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.