top | item 28122465

(no title)

Those are interesting points / possible approaches, however is there any indication that this particular project enables any of that?

This seems focused on signing binaries / build artifacts.

IMHO it seems like if you have the threat model of "crowbared maintainer forced to insert backdoor" you probably don't trust sources let alone binaries and need to vet your dependency sources and then compile your own binaries from them.

Many open source dependencies will not have a jurisdictionally diverse review team, or any review team at all (single maintainer).

discuss

dane-pgp|4 years ago

With reproducible builds, the difference between signing a binary and signing the source code from which it is built should be meaningless.

I agree that the threat model should include the threat of untrustworthy source code, because we want the countermeasures to work equally well against backdoors, "bugdoors", and genuine bugs.

BenTheElder|4 years ago

Good points.

I suspect for a lot of projects reproducible builds are themselves a bit of a hurdle and not being verified in the rarer case that they already exist, but the point of reproducible + signed builds as indirect source-signing stands.