It's been a few days since I've received any hate mail from reproducible build fans, so I think it's time to stoke those flames. 🔥
Here are my thoughts on the topic, TL;DR: You don't need reproducible builds. blog.cmpxchg8b.com/2020/07/you-do
Conversation
I want to verify if Signal app downloaded from PlayStore is actually built from their open sourced code. I trust PlayStore. I trust the open sourced code. I don't trust signal.org
I had started a thread internally. Look for "Verifiable build from open source".
1
1
How so? This is a genuine concern I have about those apps which claim they are "open source"
1
1
You *have* to trust the vendor. It makes zero sense to say you trust them to provide you source code, but not a binary. A bugdoor would be superior in literally every way, why are you not concerned about that?
2
Show replies