Biuld reproducibility

[rimutaka]

How do we know that there are no vulnerabilities or backdoors introduced into the build via dependencies?

• https://security.googleblog.com/2021/07/measuring-security-risks-in-open-source.html
• https://github.com/rust-secure-code/cargo-supply-chain
• https://www.reddit.com/r/rust/comments/ofurfs/how_to_achieve_identical_compilations_of_the_same/

[rimutaka]

Looks like checking in Cargo.lock should solve the problem. Full response on reddit: https://www.reddit.com/r/rust/comments/ofurfs/how_to_achieve_identical_compilations_of_the_same/h4eznav/?utm_source=reddit&utm_medium=web2x&context=3