How can we trust open source software?
February 26, 2013 7:18 AM Subscribe
Open source software is considered trustworthy because anyone can validate the source code and hold the developer accountable. Usually developers will also make compiled binaries available for convenience. How can we know that these binaries are compiled from the same
source code the developer published, and not a malicious variant of it?
posted by The Winsome Parker Lewis to computers & internet (17 answers total) 3 users marked this as a favorite
A truly paranoid person will compile from source every time. But most people don't have the knowledge or time to do that so they trust the project's official compiled packages. Is there any way to validate that an application wasn't compiled from a secret parallel branch?
I was thinking of a checksum: Compile an app yourself, then download the official binary, and the checksums of both should match. I don't know much about compiling code personally, I assume there are nuances to the process that could result in variation even if the official binary is legitimate. Can anyone more informed shed some light on this?