←back to thread

Show HN: Clippy – 90s UI for local LLMs

(felixrieseberg.github.io)
1122 points felixrieseberg | 1 comments | 06 May 25 15:02 UTC | HN request time: 0.33s | source
Show context
mkgeorge7 ◴[06 May 25 16:08 UTC] No.43906729[source]
Question for the devs in here...something I've been thinking about a lot recently. So I see that OP linked out to a public github repo...but when downloading the actual bundle, what's a quick way for me to determine that what I'm installing on my mac is actually the same as what's in the public repo? It's always seemed like a loophole to me ready for (potential) exploitation.

>> Ship project. >> Link out Github repo on the static site somewhere >> Gain trust instantly as users presume the public repo is what's used behind the scenes

Disclaimer: I'm a web dev and don't know a single thing about native MacOS software

replies(3): >>43906763 #>>43906770 #>>43906969 #
1. felixrieseberg ◴[06 May 25 16:30 UTC] No.43906969[source]
Yeah, reproducible builds would be fantastic.

I sign my binaries on macOS with Apple codesign and notarize - and with Microsoft's Azure trusted signing for Windows. Both operating systems will actually show you a lot of warning dialogs before running anything unsigned. It's far from perfect - but I do wish we'd get more into the habit of signing binaries, even if open source.