Agree reproducible builds should be added to the list of best practices.

There are ways to use HSMs to allow users to verify server-side builds matches the open source code, although I think only conceptually. Would love to see this done in practice so we can learn from it.

opensource

What does it mean to be open source?

Agree reproducible builds should be added to the list of best practices.

There are ways to use HSMs to allow users to verify server-side builds matches the open source code, although I think only conceptually. Would love to see this done in practice so we can learn from it.