Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Supply chain attacks are not theoretical! Just take a look at npm, docker and other repo lands.


Those attacks were not prevented by reproducible builds. Those supply chain attacks are the kind of things resources should be put into preventing.


They were completely preventable by independent verification. Just that without reproducible build you can't independently verify anything.


Maybe some of them were preventable, but if it was in place attackers would easily adapt to fool the automated systems and we would be back at status quo.

>without reproducible build you can't independently verify anything.

This is myth propagated by reproducible builds people. Byte for byte similarity is not required to detect a Trojan was injected into one.


You are right, I should not have said "you can't independently verify anything", but then you generally need to know what you are looking for.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: