If a router vendor ships their source that's a modified OpenWRT, but doesn't do repro build processes, do you think it's likely that the source actually matches the firmware blob you download from their site? :-)
First, you need to explain why you want to use that specific binary so badly? Here is what I do if I don't trust a binary: I compile the source code, and use that binary. What is the attack against this system, which works today, that you're trying to solve?
-
-
it's solving the problem that very few people have sufficient resources to build all the binaries for all the software on all of their systems, so in practice nearly everyone must rely on lots of other people's build servers. without repro builds, every build server is a SPOF.
-
also, for organizations who do have sufficient resources (i.e. companies like your employer) it gives them the opportunity to make it much more difficult for a bad actor to compromise their own builds (even for internal and/or proprietary builds, potentially)
- 13 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
