If you want to know that you’re using the published code, you download the published code and compile it yourself.

That’s it. End of story. No other options.

If you want to be reasonably sure the published code is what’s being used you can wait for someone you trust to download and compile it and then ask them to send you a checksum to compare against the executable you’re running, but assuming some random person is telling the truth is scarcely better than trusting the developers.

>How do we know the code that’s published is the same code that’s actually being used

Because you can take the published code and compile it yourself. Then you know for sure what you’re using.

One way is to compile it yourself.

Another way is to download it from someone you trust.

If you install say the Ubuntu OS, the developers include a public key with the OS and sign software they produce. Basically every piece of software published by Canonical (the organization behind Ubuntu) has a few extra bytes that say “I approve this software — Canonical” and there’s some fancy math that’s used to verify the message. If the verification passes, you can be confident the software on your computer is byte-for-byte identical to the software on the computer used to generate the approval message.

Canonical (or a hacker / rogue employee with access to the right computer) could theoretically publish malicious software, you’re putting your trust in Canonical to not do that (and guard their computer against hackers or rogue employees).

Whenever they publish a software package, Canonical is basically claiming “Such-and-such software was created by compiling such-and-such source code”. You might think it would be possible for people to write a program that automatically checks these claims by compiling themselves and seeing if the software they got is byte-for-byte identical to the software Canonical published. Unfortunately you have to do a bunch of fiddling with your build system to set it up so that different people compiling the same source code get exactly byte-for-byte identical software. There’s a [whole project](https://reproducible-builds.org/) dedicated to doing that fiddling for every open-source software package offered by major Linux distributors.

You can also tell the Ubuntu OS to trust other software sources. If your friend Bob has a hobby of compiling software, and you trust Bob, you can tell the Ubuntu OS that it’s okay to install software signed with Bob’s key. Then Bob can publish a message “I approve this software — Bob”.

Some projects have reproducible builds.

This means that you can take the code as it was on say, August 22 on Github, build it, and get exactly the bit-by-bit binary they published. This usually takes some work because the exact binary varies depending on things like versions of compilers and dependencies, and requires the absence of anything that could vary, such as timestamps being built into the output.

Without that, the easiest way is to just build it yourself, then you can trust that what you built is what you looked at.

If you suspect something, then a skilled developer can build their own binary, then compare it to the officially published one and see what’s different and where.