IRC channel logs

2020-08-05.log

back to list of logs

<akkartik>OriansJ: I see you brought up http://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html but didn't get any bites. The author is missing the scenario where anybody in the world can validate a buikd at any point in the future. That possibility will force vendors to act more responsibly.
<akkartik>Of course, the author also claims plausibly deniable 'bugdoors' are easier to write than binary edits. If you believe that I guess evrything else is moot.
<akkartik>Anyways, I'm curious to hear your thoughts.
<markjenkinsznc>akkartik, I weighed in with a bootstrapping angle on reddit, https://www.reddit.com/r/linux/comments/hzwdci/you_dont_need_reproducible_builds/g06e9wb/
<Profpatsch>akkartik: Just tell them that they can’t use good build caching without reproducibilty
<Profpatsch>If they don’t understand the trust angle
<Profpatsch>Because that’s the part that capitalistic companies actually care about
<Profpatsch>wow, I just realized we haven’t mentioned early cutoff once in our blog
<rain1>hey akkartik
<janneke>markjenkinsznc: great comment
<Hagfish> http://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html
<Hagfish>ugh, Tavis, i expected more from you
<Hagfish>"They can still provide malicious source code to the builders for them to build and sign."
<Hagfish>use, and reproducible builds doesn't stop the source code from having bugs either
<Hagfish>talk about out of scope
<OriansJ`>akkartik: well it is true. It is easier to write malicious code in high level languages than it is in binary (atleast manually) but it is also much harder to hide malicious code in the long term. Sure things like the International Obfuscated C Code Contest and Underhanded C Contest show the sort of ways of hiding malicious behavior. But complexity is key for hiding bad behavior; all long term code cleanups will inevitably eliminate any
<OriansJ`>underhanded code
<OriansJ`>personally I think the writer is thinking too much in the perspective of proprietary software distribution; where access to source code doesn't happen and blind trust is the default.