Comment by 3rodents
9 hours ago
By that standard, it can never be verified because what is running and what is reviewed could be different. Reviewing relevant elements is as meaningful as reviewing all the source code.
9 hours ago
By that standard, it can never be verified because what is running and what is reviewed could be different. Reviewing relevant elements is as meaningful as reviewing all the source code.
Or they could even take out the backdoor code and then put it back in after review.
This is why signal supports reproducible builds.
In this day and age, in a world with Docker and dev containers and such, it's kind of shocking that reproducible builds aren't table stakes.
Ah yes, the Volkswagen solution.
++1
"target market product alignment" :-D