Builds on GitHub instead of compromised developer machine

Posted Oct 23, 2024 8:13 UTC (Wed) by farnz (subscriber, #17727)
In reply to: Insecure dev machines. by LtWorf
Parent article: Python PGP proposal poses packaging puzzles

On the assumption that you trust GitHub, this guarantees you that the source visible on GitHub is the corresponding source for the binary built on GitHub. With a developer doing the signing, I can build a binary that does not correspond to the given source, sign it, and upload it.

Reproducible builds would, of course, be better.