Hello, technology retard here.
So, supposedly you should use open source software because its code can be freely audited. But what ensures that this is the same code that's used in already compiled executables I download?
>>61475669
Blind Faith in others to do the checking for you
>>61475669
You can compile the code, and check for diferrences. The same compiler will produce the same binary. That is a good- enough approach.
>>61475835
Does hashing produce the same result? Do things like last modified date affect hash?
>>61476325
There are several thing, that can modify the binary, but modification date is not one of them.
Usually build tool, architecture, and optimalization can modify the hash of the binary. (Eg. using clang instead of gcc would change the output)
Usually your distro has trustworty maintainers, and digital signature will verify, that the package originates from them.
If you are super-paranoid, you can verify the packages by recompiling them, but for a generic user, I see no point. There must be some trust between the maintainers and the user. If that trust is broken, it is time to look for a different distro.
Alternatively, you can use a source based distros, so you can create the binary yourself. (aka. Install gentoo) ;)
>>61475669
You write your own compiler and then compile everything with it.
Don't tell anybody about your compiler though, they will try to steal it.
>>61475669
To add to what some of the anons have said, what makes open source like Linux so attractive is that there are tens of thousands of people involved in various aspects of the code and sneaking backdoors by an agent pretending to be a contributor would be very difficult. Then you have the security oriented community who also peruses the code...
>But what ensures that this is the same code that's used in already compiled executables I download?
If you really care about the benefits of FOSS you should not download precompiled binaries. Always compile from source.
>>61476325
>Do things like last modified date affect hash?
That information is part of the filesystem, it's not contained in the file data itself.
any project worth it's weight will provide a checksum for binaries and code base that you can compare against. used to be md5sum more often nowadays it's sha256sum.
>>61475669
I'm going to go with reproducible builds for $500, Bill.
>>61476562
>Usually your distro has trustworty maintainers
HAHAHAHAHAHAHAHAHA! Sure, just trust pseudonymous strangers who decided to place themselves in a MitM position for free. What could go wrong?
>>61478539
Except it doesn't get audited.
>>61476714
Unless you've audited the source it's exactly the same as a precompiled binary.
dumb crystal whore poster