Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A bit concerned about this warning (1):

"IMPORTANT: These binaries are provided by anyone who are willing to build and submit them, they are NOT official. Because these binaries generally not reproducible, authenticity cannot be guaranteed. For your consideration, each download page lists the GitHub user that submitted those binaries."

Given one does not compile their own version, wouldn't this make the privacy trade-off vis-à-vis generic Chromium unacceptable?

(1) https://ungoogled-software.github.io/ungoogled-chromium-bina...



Yea. Why cant github actions build these artifacts?


It does! That warning is for a different repo that allows community contribution:

https://github.com/ungoogled-software/ungoogled-chromium-bin...


GitHub now offers "artifact attestation"[1], which would be ideal for this use case. It records what build process binaries originated from, so they can still be published elsewhere while remaining verifiable.

[1] https://github.blog/changelog/2024-06-25-artifact-attestatio...


It needs way too much space to build with github actions



According to the workflow file, you’re using self-hosted runners…


Because of the code signing for macOS


I haven't tried it myself, but it seems like that should be possible?

> You can sign Xcode apps within your continuous integration (CI) workflow by installing an Apple code signing certificate on GitHub Actions runners.

https://docs.github.com/en/actions/use-cases-and-examples/de...


This costs money, requires some agreement signing and can "dox" developers, so not everyone wants a cert.


That is chef's kiss right there.

Security or authenticity is prevented by a security or authenticity policy.


This is common. Sometimes a security policy works (e.g. a password length requirement may cause people to come up with stronger password) and sometimes people consider it excessive and prefer to work around it (e.g. a password length requirement may cause people to write the password down on a sticky note and attach it to the computer screen).


> Given one does not compile their own version

skill issue




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: