How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?
How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?
As the article/SO answer posted by cwagner tells you you effectively can’t, because a “trojan” could be injected at many different levels and even self-compiling the source code depends on some compiler binary that you have to get from somewhere (build your own compiler, you tell me, but what do you use to compile THAT?).
In practice for most people the correct answer is “get the binary from your distributions normal repository”. By using a given distribution you already implicitly trust that distribution (because if you don’t, why use it?), so non-core software from their repository should also be considered trustworthy (at least in the sense that no additional trojans were introduced that aren’t in the source).
That doesn’t really help with Windows, though. There your best bet is to get a binary that’s from as close to the original authors themselves. Ideally from their project home page themselves.
Thanks for the answer. I am a Linux user luckily 😊