74

How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?

you are viewing a single comment's thread
view the rest of the comments
[-] rentar42@kbin.social 11 points 1 year ago

AFAIK most Linux distributions don't (yet) have fully reproducible builds (simply because it's a HUGE ask). For Debian for example, it's continued ongoing work: https://wiki.debian.org/ReproducibleBuilds

[-] poVoq@slrpnk.net 6 points 1 year ago

That is an unrelated topic. By using a distro you are already implicitly trusting them over the random author that publishes binaries on their repo or so.

[-] rentar42@kbin.social 6 points 1 year ago

Yes, I agree with the trust and that it's effectively equivalent for most users. But I read OPs reply as asking specifically for "a more automatic way of checking (that it was build from source cleanly)".

I think expecting that this has already been cleanly solved years ago is not unreasonable (until you realize how many rabbit holes this whole topic has to go down to work well).

this post was submitted on 01 Sep 2023
74 points (98.7% liked)

Open Source

31358 readers
18 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS