Realized a problem.
from MeowerMisfit817@lemmy.world to privacy@lemmy.ca on 16 Jun 18:51
https://lemmy.world/post/48250810
from MeowerMisfit817@lemmy.world to privacy@lemmy.ca on 16 Jun 18:51
https://lemmy.world/post/48250810
Maybe the open source apps could be lying about their source code? For an example, put a version without trackers while the one they use have trackers?
threaded - newest
You could always examine the code and compile from source as seen.
You could also use a hash to verify the content of the code does not differ from the source.
Using precompiled binaries should be able to use a hash to verify as well.
You can also run a scan on the app/code.
It’s good to take the principle of “question everything” seriously and to have the tools to do it right
en.wikipedia.org/wiki/Reproducible_builds
e.g. f-droid.org/docs/Reproducible_Builds/ for F-droid’s efforts on it. Debian, Arch Linux, and other popular linux distros also have their own efforts ongoing
“the one they use” Who is they? What is the one they use? Most Linux distributions and F-Droid build every package from the source code and make available the source code that was built.
“They” as in the developers and the app itself.
Yes they could. That’s what reproducible builds are for. And Linux distribution maintainers. You better install software from places like the Debian package repository (or your distribution’s repo) or from F-Droid (if you’re using Android).
While open source code is visible, the real risk lies in supply chain compromises where dependencies are replaced with malicious variants during the build process. You should verify if the app’s binary has been rebuilt from the source or if the build environment itself is compromised, as static analysis alone cannot detect dynamically injected payloads from trusted but hijacked package repositories.