this post was submitted on 17 Sep 2024
432 points (99.1% liked)
Open Source
30345 readers
2160 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The amount of malware you can cram in a source-code patch without drawing attention vs. in a binary is vastly different.
There's also the fact that if you want to ship binaries, you can just wget them from source during the build process. Not a perfect solution but much better than what's ventoy doing. The source code updates works the same in every project because it has to. That's why this is drawing more attention.
That's ok if we are talking about malware publicly shown in the published source code.. but there's also the possibility of a private source-code patch with malware that it's secretly being applied when building the binaries for distribution. Having clean source code in the repo is not a guarantee that the source code is the same that was used to produce the binaries.
This is why it's important for builds to be reproducible, any third party should be able to build their own binary from clean source code and be able to obtain the exact same binary with the same hash. If the hashes match, then you have a proof of the binary being clean. You have this same problem with every single binary distribution, even the ones that don't include pre-compiled binaries in their repo.
The problem is not near enough projects support reproducible builds, and many that do aren't being regularly verified, at least publicly.