I had no idea this issue had been identified. While I find this tool very useful, the project is seeming rather questionable to me now.

You are viewing a single thread.
View all comments View context
17 points

Is that any different from no one checking the code every update?

permalink
report
parent
reply
11 points
*
Deleted by creator
permalink
report
parent
reply
3 points
*

That’s ok if we are talking about malware publicly shown in the published source code… but there’s also the possibility of a private source-code patch with malware that it’s secretly being applied when building the binaries for distribution. Having clean source code in the repo is not a guarantee that the source code is the same that was used to produce the binaries.

This is why it’s important for builds to be reproducible, any third party should be able to build their own binary from clean source code and be able to obtain the exact same binary with the same hash. If the hashes match, then you have a proof of the binary being clean. You have this same problem with every single binary distribution, even the ones that don’t include pre-compiled binaries in their repo.

permalink
report
parent
reply
3 points

The problem is not near enough projects support reproducible builds, and many that do aren’t being regularly verified, at least publicly.

permalink
report
parent
reply

Open Source

!opensource@lemmy.ml

Create post

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

  • Posts must be relevant to the open source ideology
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

Community stats

  • 3.3K

    Monthly active users

  • 1.2K

    Posts

  • 10K

    Comments