undefined | Better HN

0 pointspatates3y ago0 comments

How do you make sure that the source you see is the one that's deployed?

0 comments

3 comments · 2 top-level

cesarb3y ago· 1 in thread

> How do you make sure that the source you see is the one that's deployed?

With reproducible builds. Signal has done reproducible builds since 2016 (https://signal.org/blog/reproducible-android/), all you need to do is to get the APK from your device and compare it (see https://github.com/signalapp/Signal-Android/tree/main/reprod... for a detailed step-by-step).

patatesOP3y ago

The problem is, I have to trust my capability (and the others who actually read the source) to understand that the client doesn't trust the server, as long as I don't deploy the server too myself. Not to mention having to do the same for each update.

In a nutshell, at some point, you practically have to trust someone.

867-53093y ago

depends on the party deploying it

j / k navigate · click thread line to collapse