How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    25
    ·
    1 year ago

    F Droid is as close as you’re going to get. They take open source projects and build them independently and then publish. So if you trust f Droid, then the code you get from f Droid is the right code, and the binary you get from Android is the right binary.

    • SpeakinTelnet@sh.itjust.works
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Fdroid is great but OPs question is even more important then, installing an installer app without knowing its legitimacy could lead to many apps being infected.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Sure, its about who you trust in this scenario. once you introduce a compiler it becomes unprovable. So what your threat model is, and who you can trust.