How do i know that open source programs actually use the code provided with it, and it is not a copy of the original code that compiles into functionally the same program tho the code is hiding whatever malicious code the developer would want to hide in his program?
compile it yourself and compare the file hash retard
Builds might not be reproducible, retard.
idk what either of you mean so it would be nice to have some clarification
you compile it and use utilities like sha256sum
on both the binary you download and the one you compiled if it generate the same hash its the same file and nothing was added to it.
ignore the other dumbfuck he don't know shit
> use utilities like
Can you even explain the concept of a hash?
> he onnou sheeit
No naggers allowed, please.
The hashing is a one way encryption. The algorithm generates a relatively short text code, and the output always will be the same if the input is the same. So the author of compiled software guarantees that you get what has been generated as an original.
There's no guarantee. See
, among many other factors.
Then feel free to fuck around on your end or look for forum posts about getting hashes to match. But the original question was "how do you make sure a program uses the source code provided," and that question has been given an answer. Edge cases where hashes don't match don't magically make equivalent hashes invalid.
> that question has been given an answer
> fuck around on your end or look for forum posts
I just hope you aren't reproducible.
> Edge cases
Many such cases...
i assumed i had to explain it to a complete drooling retard.
your welcome
What is the point of comparing when you could simply use the binary you just compiled?
basically:
check the "fingerprint" of the file they claim to be the compiled code
compile the code yourself, and compare the "fingerprints"
So make it reproducible.
>just spend 30 mins to 1 hour compiling the file bro
This is just cope. There should be a system in place by Github. To make sure the executables are what the authors claim they are.
Someone has to compile it at some point, might as well be you
depends if the builds are deterministic or not. in my experience trying this, they’re not
You don't. If you don't trust the developer, compile it yourself.
Build it yourself then nigga
install gentoo
Take the source code and use the power of Gentoo Linux! Everything in Gentoo is built from source using your own machine.
>"posted in r/linuxmemes"
Gentoo is extremely easy to install. Installing Arch is more difficult because something breaks every time
compiler version and compile flags can change the binarys hash
well we both know you arent actually reading through all the code so it really makes no difference.
>but other people are looking at it!
everyone says that and nobody does. many such cases of malware being out in the open for a long time and nobody knows
How do you know that clever programming that you can't even see as a normal (in the bell curve) c or c++ programmer isn't hiding in plain sight so that the malicious code is fully auditable but, to your clouded, scaled over eyes, looks like it's OK?
The solution is to write your own OS. Preferably on a computer so simple that it's impossible to backdoor.
Well, if you use precompiled programs, ideally an independent distributor would have compiled them from the provided source code. Other open source programs you usually compile yourself anyway.
In any case, you can never read all the source code you run. It's better than closed-source, which doesn't let you read any code, but you still depend on trust.
There isn't necessarily a way to make sure of that. A complex project will very likely not compile into the same result. Especially in different environments, but even when on the same machine, it may be different every time you compile the program.
That would never happen
https://en.wikipedia.org/wiki/Intel_C%2B%2B_Compiler#Support_for_non-Intel_processors
>How do i know...
You can't know:
>Reflections on Trusting Trust
https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html
>The moral is obvious. You can't trust code that you did not totally create yourself.
>No amount of source-level verification or scrutiny will protect you from using untrusted code.
How do you know the food you buy from the supermarket isn't laced with poison?
Nixos fixes this with deterministic builds.
And deterministic posts too.
Nixos fixes this with deterministic builds.