
Reproducible builds are a waste of time - ingve
http://www.tedunangst.com/flak/post/reproducible-builds-are-a-waste-of-time
======
theoh
"Or submit “harmless” refactoring patches that exploit minifier, sorry,
compiler bugs to introduce new vulnerabilities."

I like this line but I'm not sure I get the joke. Is it that serious attacks
are likely to target a weak point like JavaScript in the browser, or that
modern software is so darn procedural that the compiler is really just a
glorified minifier that hardly does any optimization?

~~~
vog
I guess he makes fun of a perceived special type of JavaScript developers:
Those who were proud of their ultra-dynamic programming environment, laughing
at all those poor C/C++/Java folks who have to run everything through a
static, rigid, stiff compiler. And now we see them doing exactly the same
things there were once laughing at: They run their code through some
linter/static analyzer to catch bugs early, generating their CSS with a CSS-
compiler like Sass, and running their JavaScript though a minifier.

Instead of a "change-test" loop now we (as JavaScript developers) have a
"change-compile-test" loop, just like anyone else. It's just that we call it
"build" or "minify" instead of "compile".

There's some irony in that, and I believe that's what he is mocking about in
that dig.

------
vog
_> Of course, the defense only works if only some of the compilers are
backdoored_

I don't think so. To my understanding, to become unnoticed by reproducible
build, all compilers would have to be backdoored _in the same way_. That's
what makes reproducible build so appealing.

