← Back to context

Comment by __MatrixMan__

8 days ago

> You can't even verify the build you get off Github was compiled from the same posted source

Sure you can: build it and check the hash. If the maintainer prepared for such a check ahead of time it can be as simple as:

    wget https://github.com/owner/foo-project/releases/download/.../foo
    sha256sum foo                       # make note of this 
    nix build github:owner/foo-project
    sha256sum result/bin/foo            # it should match this

A pinky promise from a corporation can never be more trustworthy than something that we can all verify locally.

Of course there's still the should-you-trust-this-code part of the problem, but at least bad guys in that case must operate in public view, which is--once again--a stronger deterrent to shenanigans than anything that happens behind closed doors at Apple.

1 comment

__MatrixMan__

Reply
Tokumei-no-hito  7 days ago

OP was referring to apps downloaded from the app store.

you can't get a build hash from a downloaded app to then compare to a source build.