Codethink · Feb 4, 2021 · 10:07 AM UTC

Codethink

Codethink @codethink

4 Feb 2021

Now this is really worth a read... opensource.googleblog.com/20…

Codethink · Feb 4, 2021 · 11:32 AM UTC

Codethink @codethink

4 Feb 2021

"For open source, one or more trusted agents could run the build as a service, signing the artifact to prove that they are accountable for its integrity." How do we trust the agents?

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Feb 4, 2021 · 11:39 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 · Feb 4, 2021 · 11:39 AM UTC

Daniel Silverstone 💉💉💉💉² 🏳️‍🌈🇬🇧 @dsilverstone

4 Feb 2021

Replying to @codethink

In theory, the reproducible builds project gives us a pointer here. If *enough* "trustable" agents do the build and get the same result (i.e. each agent's signature validates the same final binary hash) then one can start to build out trust based on regular matching of results.

Feb 4, 2021 · 11:39 AM UTC