74
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 01 Sep 2023
74 points (98.7% liked)
Open Source
31184 readers
135 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
Thanks for that. I'm honestly a bit surprised that there isn't a more automatic way of checking this, like some sort of badge on Github or something.
There is, its called a Linux distribution repository or F-Droid for Android.
Why would you trust a badge on github if you don't trust the original author to not tamper with the binaries? The only way is to either built from source yourself or get the binaries from a trusted 3rd party that does that.
AFAIK most Linux distributions don't (yet) have fully reproducible builds (simply because it's a HUGE ask). For Debian for example, it's continued ongoing work: https://wiki.debian.org/ReproducibleBuilds
That is an unrelated topic. By using a distro you are already implicitly trusting them over the random author that publishes binaries on their repo or so.
Yes, I agree with the trust and that it's effectively equivalent for most users. But I read OPs reply as asking specifically for "a more automatic way of checking (that it was build from source cleanly)".
I think expecting that this has already been cleanly solved years ago is not unreasonable (until you realize how many rabbit holes this whole topic has to go down to work well).