Hello. Whonix (whonix.org) developer here. We are an anonymity distro that some of you are familiar with. We have a vested interest in seeing Tox succeed as a secure/private communication alternative to the status quo.
IMHO moving the project binary builds to an online build server is a bad move especially in absence of a reproducible build system. You cannot rely on a cloud server to not work against your interests and that of your users. The Certificate Authority/HTTPS is badly broken system and not a guarantee against nation states trying to poison binaries.
I think that at the very least you should run your own build infrastructure until repro builds are realized so you can verify no one messed with binaries you distribute.
cc/ @adrelanos
Hello. Whonix (whonix.org) developer here. We are an anonymity distro that some of you are familiar with. We have a vested interest in seeing Tox succeed as a secure/private communication alternative to the status quo.
IMHO moving the project binary builds to an online build server is a bad move especially in absence of a reproducible build system. You cannot rely on a cloud server to not work against your interests and that of your users. The Certificate Authority/HTTPS is badly broken system and not a guarantee against nation states trying to poison binaries.
I think that at the very least you should run your own build infrastructure until repro builds are realized so you can verify no one messed with binaries you distribute.
cc/ @adrelanos