logoalt Hacker News

drdexebtjlyesterday at 5:38 PM0 repliesview on HN

For a Debian image, yeah, that is the threat.

But this is new software from someone no one trusts yet. Verifying the binary was not maliciously replaced by someone else doesn’t matter.

What we need here is a reproducible build made and published by an independent third-party.