On 12/14/22 11:30 AM, Bernhard M. Wiedemann via rb-general wrote:
He also once pointed me to
https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html
By the way, I think this person's argument falls apart here:
"The only way to verify that the untrusted binary is bit-for-bit
identical to the binary that would be produced by building the source
code, is to produce your own trusted binary first and then compare it.
At that point you already have a trusted binary you can use, so what
value did reproducible builds provide?"
That makes the incorrect assumption that a build you create yourself can
always be trusted.
On the contrary, no single build can be trusted because it's too easy to
compromise a single build environment. That's the benefit of verified
reproducible builds: an attacker has to compromise several different
build environments on different machines and networks and in different
countries.
So the second diagram on the page does not create a trusted binary. You
still want to keep the other build for comparison instead of throwing it
in the trash.
John
