> We already fully trust the sources they release, and we already fully
> trust their binary compiler releases.
Well that assumption is 100% wrong.
Trusting source code is the wrong place to place trust.
And trusting binaries is just a bad idea in general.
But for the people who do choose to trus
On 12/14/22 11:30 AM, Bernhard M. Wiedemann via rb-general wrote:
He also once pointed me to
https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html
I also wonder how all this verification is going to work.
For example, I'll soon be providing reproducible builds of OpenJDK. H
On 2022-12-14, Bernhard M. Wiedemann via rb-general wrote:
> a colleague of mine is rather skeptic towards bootstrapping and
> reproducible-builds.
>
> E.g. he wrote
>
> https://fy.blackhats.net.au/blog/html/2021/05/12/compiler_bootstrapping_can_we_trust_rust.html
This seems to miss the point tha
Hi,
a colleague of mine is rather skeptic towards bootstrapping and
reproducible-builds.
E.g. he wrote
https://fy.blackhats.net.au/blog/html/2021/05/12/compiler_bootstrapping_can_we_trust_rust.html
and the effect can also be seen in his packaging such as
https://build.opensuse.org/package/sh
On Tue, 13 Dec 2022 at 18:15, Vagrant Cascadian
wrote:
>
> It would be interesting to do something more systematic like your
> suggestion, though I'm not aware of anything at the moment.
Thanks Vagrant, that's good to know (it matches my understanding too,
from searching around).
Roughly speakin