|
|
|
|
|
|
by chuckadams
39 days ago
|
|
|
The xz hack was still reproducible, because it was included in the distribution archive which did not match the upstream source -- even then, it was so obfuscated it likely would have gone unnoticed, but nevertheless it only lived in the uploaded tarball and not in the repo. Reproducibility is a good thing, but the next step is build provenance. Still, lots of good non-security benefits to reproducible builds too. |
|
|