undefined | Better HN

0 pointsmeditate7y ago0 comments

It doesn't make it inherently safe, but if you are attempting to prove your builds are safe then it is impossible for anyone else to verify that without the source. See the thread on Debian reproducible builds from earlier this week for more discussion on this topic: https://news.ycombinator.com/item?id=19310638

Code signing is something you can do on both open-source or closed-source, but it doesn't prove anything other than that a particular build was made by a certain person.

0 comments

Spivak7y ago

"but it doesn't prove anything other than that a particular build was made by a certain person."

But that's what trust actually is. This IRL person or identity, that I trust, vouches for the non-maliciousness of this application.

Nasrudith7y ago

Except the core problem is key propagation because just anyone can have a key - paid or free if you don't know the source. It says it is from Globe Software and it matches with the provided key. It doesn't tell you if they really are Globe Software, let alone if they are a trustworthy company in the first place.

j / k navigate · click thread line to collapse

0 comments

Spivak7y ago

"but it doesn't prove anything other than that a particular build was made by a certain person."

But that's what trust actually is. This IRL person or identity, that I trust, vouches for the non-maliciousness of this application.

Nasrudith7y ago

j / k navigate · click thread line to collapse