You do want to reinvent the building wheel though right? The packaging is trivial, and the distribution isn't difficult: You already have to stage official packages while you build and verify them, no?
Each endpoint could build, or you can get someone you already have to trust to build it for you, which is how it works today. That seems to be working pretty well, as you have to really stretch to provide any examples of it not working, correct?
-
-
I have no idea who has root on my OS vendor's build infrastructure. Whoever they are, I would like to not need to trust them. Confidence in the source code is an entirely orthogonal problem to confidence that a binary came from the source it claims.https://twitter.com/wiretapped/status/1265038148289155077 …
-
repro builds are actually also useful for closed-source software: vendors like Apple and Microsoft should have multiple independent teams maintaining separate parallel build infrastructures, to remove opportunities for malfeasance which individual build engineers currently have
- 4 more replies
New conversation -
-
-
I can provide lots of examples of backdoored source code, maliciously altered by attackers. Reproducible builds would all produce tainted binaries, and wouldn't prevent that, correct? E.g. https://lwn.net/Articles/57135/ https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor … etc.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.