|
|
|
|
|
|
by meditate
2660 days ago
|
|
|
It doesn't make it inherently safe, but if you are attempting to prove your builds are safe then it is impossible for anyone else to verify that without the source. See the thread on Debian reproducible builds from earlier this week for more discussion on this topic: https://news.ycombinator.com/item?id=19310638 Code signing is something you can do on both open-source or closed-source, but it doesn't prove anything other than that a particular build was made by a certain person. |
|
|
But that's what trust actually is. This IRL person or identity, that I trust, vouches for the non-maliciousness of this application.