I know open source programs can be better in terms of privacy and security. At least potentially. For example if a messaging app is open source, everyone can see codes of this program on Github. If the program has backdoor, anyone can see it.
But how can we be sure, codes of app on Google Play Store is same as codes of Github? Could it be compiled in a different code has backdoor?
In: Technology
You as an end user probably *can’t* verify it’s the same. However, contrarily to what everyone is saying thus far, you actually *can* verify the source code seen is what was used to build an application.
In the world of automated development pipelines (you push new code and it flows through unit testing, security scanning, and whatever other processes your workflow requires), the pipeline will build the artifact from a specific code commit. All testing/scanning/processing is then done with that artifact/code commit, then that artifact is published to the public *with a hash calculated that’s specific to that artifact*.
So assuming the hash of the built artifact matches the hash of the artifact that went through your pipeline, they are the exact same and haven’t been modified in any way (otherwise the hash would be different). Even re-building the artifact from the same commit but at a different time will change the hash.
Now, this is only useful information to an end-user if the developer publishes the above information publicly, which doesn’t usually happen, but even if they did you have to trust that the developer didn’t fake that information. From a corporate standpoint though, anyone with access to the pipeline can validate that the artifact they received is the artifact that went through testing (which means the exact code commit is the same and the artifact *cannot* have gone through any changes since it was built/tested).
Latest Answers