How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?
How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?
You might find The Full-Source Bootstrap: Building from source all the way down by some of the GNU Guix maintainers of interest to read, which discusses how Guix is attempting to solve the “trusting trust” attack some have mentioned here.
Although I haven’t used it myself yet, Guix actually has a feature that lets you “challenge” the build servers to see if your builds match the pre-built binaries (the command being aptly named
guix challenge).