How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?

  • LunchOP
    link
    fedilink
    810 months ago

    Thanks for that. I’m honestly a bit surprised that there isn’t a more automatic way of checking this, like some sort of badge on Github or something.

    • poVoq
      link
      fedilink
      2510 months ago

      There is, its called a Linux distribution repository or F-Droid for Android.

      Why would you trust a badge on github if you don’t trust the original author to not tamper with the binaries? The only way is to either built from source yourself or get the binaries from a trusted 3rd party that does that.

        • poVoq
          link
          fedilink
          610 months ago

          That is an unrelated topic. By using a distro you are already implicitly trusting them over the random author that publishes binaries on their repo or so.

          • rentar42
            link
            fedilink
            610 months ago

            Yes, I agree with the trust and that it’s effectively equivalent for most users. But I read OPs reply as asking specifically for “a more automatic way of checking (that it was build from source cleanly)”.

            I think expecting that this has already been cleanly solved years ago is not unreasonable (until you realize how many rabbit holes this whole topic has to go down to work well).