@simon I understand what this does, but I don’t understand the value of it. It provides validation that the build happened on MS’s server and that they used used a specific checkout. But if builds are not reproducible (eg: use unchecksumed external resources), this guarantees nothing. If builds are properly reproducible, what value does the attestation add?
Posts
-
Posted some notes on the new PyPI digital attestations feature released today, providing digital signatures that help demonstrate that the package you are downloading from PyPI was built from a specific version of the underlying code on GitHub https://... -
What term do you use when talking about #xmpp with friends and family in the physical realm? -
The taxonomy of traffic participants in Dutch law is the brainchild of an orangutan on cocaine@drewdevault It’s classified as non-motorised and as motorised at the same time? o.O