> That's not how it works, you have to reproduce it before it becomes trusted.
Eh, there's stuff you can do with software before you trust it. Eg you can start pressing the CDs or distributing the data to your servers. Just don't execute it, yet.
> Sure, then we have to build a complex consensus system that introduces a bunch of unsolved problems. My opinion is that this just isn't worth it, there is practically nothing to gain and it's really really hard.
It's the same informal system that keeps eg debian or the Linux kernel secure currently:
People don't do kernel reviews themselves. They just use the official kernel, and when someone finds a bug (or spots otherwise bad code), they notify the community.
Similar with reproducible builds: most normal people will just use the builds from their distro's server, but independent people can do 'reviews' by running builds.
If ever a build doesn't reproduce, that'll be a loud failure. People will complain and investigate.
Reproducible builds in this scenario don't protect you from untrusted code upfront, but they make sure you'll know when you have been attacked.
> People don't do kernel reviews themselves. They just use the official kernel, and when someone finds a bug (or spots otherwise bad code), they notify the community.
There's a big difference here. When a vulnerability is found in the Linux kernel, that doesn't mean that you were compromised.
If a build was found to be malicious, then you definitely were compromised and it's little solace that it was discovered after the fact. This is why package managers check the deb/rpm signature before installing the software, not after.
Eh, there's stuff you can do with software before you trust it. Eg you can start pressing the CDs or distributing the data to your servers. Just don't execute it, yet.
> Sure, then we have to build a complex consensus system that introduces a bunch of unsolved problems. My opinion is that this just isn't worth it, there is practically nothing to gain and it's really really hard.
It's the same informal system that keeps eg debian or the Linux kernel secure currently:
People don't do kernel reviews themselves. They just use the official kernel, and when someone finds a bug (or spots otherwise bad code), they notify the community.
Similar with reproducible builds: most normal people will just use the builds from their distro's server, but independent people can do 'reviews' by running builds.
If ever a build doesn't reproduce, that'll be a loud failure. People will complain and investigate.
Reproducible builds in this scenario don't protect you from untrusted code upfront, but they make sure you'll know when you have been attacked.