logoalt Hacker News

harrouettoday at 11:37 AM2 repliesview on HN

You disagree but you're wrong.

Military context: a government would want to review the code and compile themselves. Provide a hash of the target binary to ensure they've compiled it correctly.

SDLC: provide auditors with _proof_ that the tested binary is indeed coming from the audited code

Replies

charcircuittoday at 2:28 PM

>a government would want to review the code and compile themselves. Provide a hash of the target binary to ensure they've compiled it correctly.

The government doesn't want to do this. A lot of the time the government doesn't even get the source code in the first place.

>provide auditors with _proof_ that the tested binary is indeed coming from the audited code

This can be done by showing to the auditor how one's CI is setup to build checked in code and sign it.

skydhashtoday at 12:05 PM

Military Context: Just build the code that you just reviewed. No need to get the binaries

SDLC: Traceability is more important than reproducibility. Keeping logs is more important than deterministic build outputs