|
| ▲ | savolai an hour ago | parent | next [-] |
| ” If you are wondering why we are doing this at all, then hopefully the Reproducible Builds website will explain why this is useful.” https://reproducible-builds.org/ Could you perhaps respond to the argumentation here? |
|
| ▲ | azkalam an hour ago | parent | prev | next [-] |
| Reproducible builds reduce the need for trusted parties. Have many organizations produce the binaries independently and post the arifacts. Once n of m parties agree on the arifact hash, take that as the trusted build. If every party reaches a different hash then we cannot build consensus. |
|
| ▲ | MomsAVoxell 37 minutes ago | parent | prev | next [-] |
| Reproducible builds are applicable not only to respond to ‘attacks’, a subject you seem to be bikeshedding, but also for other reasons too. Anyone having to maintain a code base or a distributed fleet of devices will gain from this decision, immensely, as their operational periods come and go. Reproducible builds are about longevity as much as they are about security. Please don’t make bold claims about ‘no reason and little benefit’ while demonstrating ignorance of this hard fact: reproducible builds should have been the norm, in computing, from the get-go. |
| |
| ▲ | bluGill 10 minutes ago | parent [-] | | I longevity is harmed though. Your certs need to expire in a few years we think that your toolchain will not be downloadable. |
|
|
| ▲ | eptcyka an hour ago | parent | prev | next [-] |
| It makes shipping backdoors a whole lot harder, yes. |
|
| ▲ | aborsy an hour ago | parent | prev [-] |
| There was perhaps no detected bug or attack. There have most likely been bugs or attacks that reproducible builds would have prevented. |
| |
| ▲ | PunchyHamster an hour ago | parent [-] | | And you base it on what exactly ? It's "just" making sure the build process is always ordered. If anything it will make attacker's job easier, as Ubuntu package will have same files structured exactly same way as Debian one. |
|
