← Back to context

Comment by TheRealPomax

5 years ago

Without a fully described mechanism to confirm that the client you download is not compiled with additional code (i.e. without specifying exactly how the client is compiled, using which version of which compiler, and which compile flags, dependency versions, etc) any kind of "the code seems to be on github" is kind of meaningless.

2 comments

TheRealPomax

Reply
dane-pgp  5 years ago

Ideally they should support reproducible builds so that anyone can confirm that the hash of the app corresponds to a specific tag on the source repository. Unfortunately app stores are making it harder to know what the hash of the app you are installing is, but for side-loading this should still be possible.

For web apps, the situation is even more difficult, but there is a technique called Secure Bookmarks which allows you to confirm that a specific bundle of JavaScript is running (at the expense of some usability):

https://coins.github.io/secure-bookmark/

  • ignoramous  5 years ago

    F-Droid supports reproducible builds. Any serious FOSS app, I think, must priortise publishing to F-Droid.