undefined | Better HN

0 pointsPunchyHamster1mo ago0 comments

The way at least YK works is that you can set it up that pressing a key is requires for signing so at least "silently steals creds and sends malicious code" case (which is vast majority of compromises) gets handled

> Also if there is a compromise, reproducible builds allow you to later track it to the source.

They do not. Git log and build logs allow for that.

Reproductive builds only have value after the source. They protect build servers from being compromised (and then only if some other uncompromised environment is also running verification passes), if the bug is at source reproductive builds are exactly as valuable as writing commit that was used for build in app's code/package metadata.

0 comments

1 comments · 1 top-level

uecker1mo ago

If your compiler (or other tool or automatic build environment) is compromised and inserts a backdoor in the binary during building, the fact that you need to hold a key while signing or not is completely irrelevant.

git log and build logs do not help you at all, if you can not even determine that the compromised binary has any relation to the build log or the source you may want to look it. This is what reproducible builds give you. You are right that it does not protect against compromised sources.

j / k navigate · click thread line to collapse