Attack on SolarWinds could have been countered by reproducible builds
Holger Levsen
holger at layer-acht.org
Wed Dec 30 16:30:11 UTC 2020
On Wed, Dec 30, 2020 at 04:41:08PM +0100, Hans-Christoph Steiner wrote:
> If you'd like to see a concrete use, for the apps that require reproducible
> builds in F-Droid, an APK build is not signed and released unless
> f-droid.org's build matches the upstream developer's APK.
while this is pretty cool, it's nothing a user can verify.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
⠈⠳⣄
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20201230/fa048650/attachment.sig>
More information about the rb-general
mailing list