|
|
|
|
|
|
by weinzierl
390 days ago
|
|
|
Thanks for that detailed argument, especially for pointing out the three necessary components. I agree even with the following paragraph in principle: "If you're wondering whether whatever.sh is safe in the first place, and you want some council of elders to pinky promise that it's safe to run, then I don't think the nix ecosystem has much to offer you." For me it is not so much about what the council of elders says, but more about when FAANG and Co. are OK to run a binary I think needn't worry about the rest.
Or to think this further, they should care more about Nix than I should. |
|
|
> - is this actually the binary that comes from that code?
Reproducible Builds that are also Bootstrappable Builds, starting from a minimal auditable machine code seed.
https://reproducible-builds.org/ https://bootstrappable.org/ https://lwn.net/Articles/983340/ https://stagex.tools/
> - is that code trustworthy?
Socially distributed code auditing:
https://github.com/crev-dev/
> - is this binary trustworthy?
The other two combined should provide this.