top | item 45869401

(no title)

irundebian | 3 months ago

The provided binaries may still contain malicious code but it guarantees that no malicious code has been inserted in between the build process of the published code. So if your binaries contain malicious code, you can be sure that all other users of the software version are affected, too.

discuss

tuananh|3 months ago

does anyone practice dual build pipeline? eg: 1 by your devops team and another one by your security team and compare binaries hash later. To verify everything is reproducible.

is it a common practice?

indolering|3 months ago

It is not common outside of security inclined communities like cryptocurrencies. It should be and we are slowly moving there.

jraph|3 months ago

Indeed, thanks for the precision!