I know that the Trezor firmware is reproducible, but are the clients reproducible too?
This is important for two reasons:
I don’t think the Suite builds are reproducible at this time.
This doesn’t matter that much in case of Suite, because, unlike the firmware, you’re free to compile and run your own version on your own computer. That way you can be sure that you’re running the same code that exists in the repo.
For sure, it would be even nicer to see that the official binary distribution does reproducibly come from the source. But given that it is an Electron app, forensic tools should have no trouble identifying any differences.
What is stopping them from beeing reproducible?
Compiling every application I use (or at least the unsandboxed ones) from source for every update would probably takes multiple hours of compile time every day, giving the fact that my hardware isn’t really strong at the moment.
Are Electron binaries more eassy to reverse engineer then apps build with other frameworks?