It would be really cool if they provided predictable builds, then we could just compare the binary against a self-compiled binary and be sure tehre are no backdoors we can't see in the code.
Sadly even truecrypt fails to provide that. So i guess we'll have to life with binary blobs no one knows what they're really doing.
Hi, I'm one of the people working on the stuff Cisco open sourced and yes, it will be predictable and verifiable builds. We are working with some of the Mozilla folks to make sure we can do that.
How often do you expect new Cisco builds to be published? Will the releases be versioned so Firefox version X knows it will always install OpenH264 version Y from Cisco's binary blob server?
Open to suggestions but the current plan would be to make it match up roughly with the Firefox 6 week release cycle. Definitely versioned and fingerprinted such that Firefox can verify that Cisco did not compile in bad stuff.
Sadly even truecrypt fails to provide that. So i guess we'll have to life with binary blobs no one knows what they're really doing.