It's relevant that you dont have a solution to the problem of malicious source code, you *have* to trust it. The system you run the binary on cant be compromised and the source code must be trusted, or repro builds are pointless, agreed? You're already owned if those arent true.
-
-
I think we've probably reached an impasse if you can't agree to this. The system where you run the trusted binary *can't* already be compromised, or the binary can be tampered with. That makes the fact that it was reproduced irrelevant. I guess we've found the point we disagree.
-
you need to trust the system you *run* the software on, but not any one you build it on. if i rely on N different systems with enough RAM to build firefox, and one more trusted one with only enough RAM to run it, i know that a repro build is good unless all N builders are bad.
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.