74

How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?

all 24 comments
sorted by: hot top controversial new old
[-] smpl@discuss.tchncs.de 64 points 1 year ago

You're looking for what's called reproducible builds.

https://reproducible-builds.org/

[-] LunchEnjoyer@lemmy.world 8 points 1 year ago

Thanks for that. I'm honestly a bit surprised that there isn't a more automatic way of checking this, like some sort of badge on Github or something.

[-] poVoq@slrpnk.net 24 points 1 year ago

There is, its called a Linux distribution repository or F-Droid for Android.

Why would you trust a badge on github if you don't trust the original author to not tamper with the binaries? The only way is to either built from source yourself or get the binaries from a trusted 3rd party that does that.

[-] rentar42@kbin.social 11 points 1 year ago

AFAIK most Linux distributions don't (yet) have fully reproducible builds (simply because it's a HUGE ask). For Debian for example, it's continued ongoing work: https://wiki.debian.org/ReproducibleBuilds

[-] poVoq@slrpnk.net 6 points 1 year ago

That is an unrelated topic. By using a distro you are already implicitly trusting them over the random author that publishes binaries on their repo or so.

[-] rentar42@kbin.social 6 points 1 year ago

Yes, I agree with the trust and that it's effectively equivalent for most users. But I read OPs reply as asking specifically for "a more automatic way of checking (that it was build from source cleanly)".

I think expecting that this has already been cleanly solved years ago is not unreasonable (until you realize how many rabbit holes this whole topic has to go down to work well).

[-] jet@hackertalks.com 25 points 1 year ago

F Droid is as close as you're going to get. They take open source projects and build them independently and then publish. So if you trust f Droid, then the code you get from f Droid is the right code, and the binary you get from Android is the right binary.

[-] SpeakinTelnet@sh.itjust.works 6 points 1 year ago

Fdroid is great but OPs question is even more important then, installing an installer app without knowing its legitimacy could lead to many apps being infected.

[-] jet@hackertalks.com 4 points 1 year ago

Sure, its about who you trust in this scenario. once you introduce a compiler it becomes unprovable. So what your threat model is, and who you can trust.

[-] pixxelkick@lemmy.world 18 points 1 year ago

Compile the application yourself, usually.

[-] FooBarrington@lemmy.world 8 points 1 year ago

This won't help verify a published binary unless the project is set up for reproducible builds.

[-] aurtzy@discuss.tchncs.de 10 points 1 year ago

You might find The Full-Source Bootstrap: Building from source all the way down by some of the GNU Guix maintainers of interest to read, which discusses how Guix is attempting to solve the "trusting trust" attack some have mentioned here.

Although I haven't used it myself yet, Guix actually has a feature that lets you "challenge" the build servers to see if your builds match the pre-built binaries (the command being aptly named guix challenge).

[-] theshatterstone54@feddit.uk 1 points 1 year ago

Do you use Guix? I've found it quite interesting and I'd love to try it out one day. The thing is, I need the mainline Linux kernel for some proprietary drivers.

[-] aurtzy@discuss.tchncs.de 4 points 1 year ago

I do!

For starters, you're not required to install Guix System in order to use the Guix package manager itself; the manual provides instructions for installing it on top of your existing system here if you want to use it but not fully commit (you can do this with Nix too).

Guix allows for adding new sources to pull packages from using channels. The nonguix channel provides the Linux kernel - blobs and all - as well as other stuff that won't be upstreamed, like Steam and NVIDIA drivers.

I recommend this helpful series by System Crafters, which includes a few guides on installing Guix and Guix System with the full Linux kernel.

[-] theshatterstone54@feddit.uk 1 points 1 year ago

Thank you. I currently use NixOS, but Guix always seemed interesting.

[-] aurtzy@discuss.tchncs.de 1 points 1 year ago

It's my pleasure :)

Just a note if you plan on installing Guix on top though, since I didn't realize you might be running NixOS: according to this discussion, you'd need to take a different route to get Guix working.

[-] rentar42@kbin.social 10 points 1 year ago* (last edited 1 year ago)

As the article/SO answer posted by cwagner tells you you effectively can't, because a "trojan" could be injected at many different levels and even self-compiling the source code depends on some compiler binary that you have to get from somewhere (build your own compiler, you tell me, but what do you use to compile THAT?).

In practice for most people the correct answer is "get the binary from your distributions normal repository". By using a given distribution you already implicitly trust that distribution (because if you don't, why use it?), so non-core software from their repository should also be considered trustworthy (at least in the sense that no additional trojans were introduced that aren't in the source).

That doesn't really help with Windows, though. There your best bet is to get a binary that's from as close to the original authors themselves. Ideally from their project home page themselves.

[-] LunchEnjoyer@lemmy.world 3 points 1 year ago

Thanks for the answer. I am a Linux user luckily ๐Ÿ˜Š

[-] rufus@discuss.tchncs.de 8 points 1 year ago

Someone already mentioned reproducible builds. Other alternative is to build it from source yourself.

[-] trustnoone@lemmy.sdf.org 3 points 1 year ago

Of course, you simply have to be the one to compile it :p

[-] Kangie@lemmy.srcfiles.zip 2 points 1 year ago

I run Gentoo; (almost) every binary on my system was compiled from source on my machine or one that I control.

[-] pexavc@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

When it comes to iOS, Here's a cool guide for reverse engineering .ipas. https://github.com/ivRodriguezCA/RE-iOS-Apps . I would think applying a sort of comparison of the static analysis with a published app against the compiled repos version would be a possible first step

[-] kebabslob@lemmy.blahaj.zone -5 points 1 year ago

Decompile it and verify

this post was submitted on 01 Sep 2023
74 points (98.7% liked)

Open Source

31133 readers
314 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS