I know open source programs can be better in terms of privacy and security. At least potentially. For example if a messaging app is open source, everyone can see codes of this program on Github. If the program has backdoor, anyone can see it.
But how can we be sure, codes of app on Google Play Store is same as codes of Github? Could it be compiled in a different code has backdoor?
In: Technology
This is indeed a problem. Mostly it’s handled via signing mechanisms, packages are cryptographically signed.
Sometimes problems do happen, especially in package ecosystems like NPM or PyPI that allow developers to pull in loads of code for others to use.
For over 5 years, Debian [1] has been working on an important part of this problem, [reproducible builds](https://reproducible-builds.org/). That is, making sure that this kind of checking is possible, by making sure that building a project doesn’t end up including extra information like the build timestamp or specific details of the system used to build the code.
[1] Debian is one of the most popular open-source Linux distributions, and one of the biggest packagers of open-source software.
Latest Answers