On Wed, Nov 14, 2018 at 1:12 PM Daniel Shahaf <d...@daniel.shahaf.name> wrote:
> The answer to (1) depends on the build platform and toolchain. > Reproducible builds [in the sense of "building the same source twice > gives bit-for-bit identical binaries"] can help with it. When the > answer is negative, the next question is whether those unauditable > artifacts should be carried by ASF mirrors alongside the source > artifacts. > So if a project puts in the effort to a.) make their build reproducible (which can actually be very difficult to do), and b.) do a bit-for bid compare on a release across at least two build artifacts, created by different people on different machines... ...would we be willing to see that threat as sufficiently eliminated for our purposes? Would we then be willing to "officially" release binaries? Best Regards, Myrle
