←back to thread

Show HN: Clippy – 90s UI for local LLMs

(felixrieseberg.github.io)
1122 points felixrieseberg | 4 comments | 06 May 25 15:02 UTC | HN request time: 0s | source
1. mkgeorge7 ◴[06 May 25 16:08 UTC] No.43906729[source]
Question for the devs in here...something I've been thinking about a lot recently. So I see that OP linked out to a public github repo...but when downloading the actual bundle, what's a quick way for me to determine that what I'm installing on my mac is actually the same as what's in the public repo? It's always seemed like a loophole to me ready for (potential) exploitation.

>> Ship project. >> Link out Github repo on the static site somewhere >> Gain trust instantly as users presume the public repo is what's used behind the scenes

Disclaimer: I'm a web dev and don't know a single thing about native MacOS software

replies(3): >>43906763 #>>43906770 #>>43906969 #
2. ◴[06 May 25 16:10 UTC] No.43906763[source]
3. dec0dedab0de ◴[06 May 25 16:11 UTC] No.43906770[source]
you don't, that is what reproducible builds are trying to solve, but even then it would still need someone to compile and check.

https://en.wikipedia.org/wiki/Reproducible_builds

4. felixrieseberg ◴[06 May 25 16:30 UTC] No.43906969[source]
Yeah, reproducible builds would be fantastic.

I sign my binaries on macOS with Apple codesign and notarize - and with Microsoft's Azure trusted signing for Windows. Both operating systems will actually show you a lot of warning dialogs before running anything unsigned. It's far from perfect - but I do wish we'd get more into the habit of signing binaries, even if open source.