[liberationtech] Deterministic builds and software trust [was: Help test Tor Browser!]

[adrelanos]

Mike Perry:
> This means that software development has to evolve beyond the simple
> models of "Trust my gpg-signed apt archive from my trusted build
> machine", or even projects like Debian going to end up distributing
> state-sponsored malware in short order.

Hi Mike,

Very few, if any, people from the Debian community (or any other disto)
are aware of that threat model yet.

I failed explaining the threat model. So I am looking forward to your
blog post. More publicity about this little known, yet very serious
topic, is important.

Best,
adrelanos