It’s great that these reproducible builds are possible and this is an incredibly thorough and careful validation. Thanks!
jasonthorsness | 3 days ago
This is important work, and I thank you for it. These public transparency logs are important for keeping honest people honest, but also for keeping dishonest people out - If someone does manage to backdoor Google's build process, this is how they'll know.
GauntletWizard | 4 days ago
Repo of sourcespotter: https://github.com/SSLMate/sourcespotter
h4ck_th3_pl4n3t | 3 days ago
[dead]
TacticalCoder | 3 days ago
I started compiling the Go compiler myself over well over ten years ago when you had to compile it yourself to enable cross-compiling. That has not been the case in almost as long.
I have not stopped. I really should stop. At this point it's just kind of fun, but I have an unbroken chain of self-compiled Go compilers going back to the days when Go was written in C and not Go.
I am frankly really curious if my Go binary lives up to the reproducible build, or if some sort of Reflections on Trusting Trust type flaw worked itself in 10 years ago.