Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Keeping a clean, public vcs is a pain in the neck. If you're working on anything less than a large open-source project with many devs and random contributions, it's a pointless hassle. Can you tell me how that makes it any sketchier than leaving a public github?


Public Github with CI means the binary was built unmodified from source. You can turn off issues/PR and push only release branches with squashed commits.


Assuming you trust Github, of course. I think if someone is seriously worried code has been altered between source and maintainer-provided binary, his big concern will be the time it takes to audit the source code (which he also shouldn't trust). The build time will be inconsequential next to that.


The Reproducible Builds project is working on trustworthy builds:

https://reproducible-builds.org/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: