Is there a VirusTotal for source code?

  • DNS Benchmark v2 Release 5 with Consultant License
    Guest:
    If you own any earlier release of our DNS Benchmark you may immediately download its release #5 replacement. Running an earlier release will detect the new release and help you upgrade.

    Although this release is cosmetic, appearance matters and affects ease of use. The biggest change, as seen in the image above, is that the DNS Benchmark now has a traditional Windows application menu to more fully expose its many features. This release is also "Consultant License Aware" and GRC will now issue a Consultant version when owners have previously purchased four "Personal Use" licenses. If you have previously purchased four DNSB licenses, or if you wish to upgrade your "Personal Use" license to Consultant, GRC's purchase process will direct you through that process.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

M

mappo

Member
Sep 25, 2021
15
1
Sweden
One of the most held-up reasons for why open source is good, is something along the lines of
"1000s of smart people have reviewed the code to make sure there are no security/privacy issues"

And I agree ... but:
The vast majority of us ignore the "download source code" link and just go for the already-compiled executable.
How can I be sure that the executable was compiled with the same source code that the 1000s of smart people reviewed?

A service like VirusTotal for source code could compile the source code and compare the result to the executable on the site.
Of course, compiling something like Firefox takes quite a while, so I guess some kind of hashing would be required.

And now I ask the 1000s of smart listeners to SN:
1. is this an issue?
2. are there solutions?
 
A great many projects build their binaries out in the public in the same way that they share their code publicly. Of course they rely on other binary tools, which you have to hope were built without a hidden agenda themselves. There seems to be a great need for trust in the industry... and it's unclear how much trust is well placed. Not that everyone is bad, because I think a majority are not, but a lot of corners do get cut, and not every developer is a star in his or her field. Potential security vulnerabilities could be created by a less than competent developers who do not get the necessary helpful code reviews and encouragement to do better.
 
PHolder said:
A great many projects build their binaries out in the public in the same way that they share their code publicly. Of course they rely on other binary tools, which you have to hope were built without a hidden agenda themselves. There seems to be a great need for trust in the industry... and it's unclear how much trust is well placed. Not that everyone is bad, because I think a majority are not, but a lot of corners do get cut, and not every developer is a star in his or her field. Potential security vulnerabilities could be created by a less than competent developers who do not get the necessary helpful code reviews and encouragement to do better.
Click to expand...
Please elaborate on what "build their binaries out in the public" means. I've never heard that phrase before.

Still, it comes down to publishing (at least) two links on the project's site; one to the source code and one to the pre-compiled binary. What ways are there to guarantee that the latter is the result of the former?
 
mappo said:
Please elaborate on what "build their binaries out in the public"
Click to expand...
Some sites, like Github, have a build tool that you can invoke to build your public binaries from your public source. The binaries should thus be assured to represent the source code, assuming you're willing to trust the tools employed are not back-doored (for example, there is the theory of a compiler backdoored to inject mal-code into a binary as it's being compiled: reference)
 
  • Like
Reactions: mappo
That's really interesting. I had no idea, thanks!
So generally (very generally), projects on github are more reliable (at least in this very specific aspect) than those that roll their own website.

The issue of malicious compilers is separate and not specific to open source imhbco*.

But I still wonder about a VirusTotal-like service for code. Are there any such tools, or has Github solved it?


*in my humble but correct opinion :sneaky:
 
You must log in or register to reply here.

Similar threads

L
Microsoft's new-ish Authentication for login (ready for spamming?)
Replies
4
Views
865
Security Now Podcast
lmcarmona
L
S
But what do you do if there is an emergency? (Picture of the Week candidate)
Replies
2
Views
1K
Security Now Podcast
SeanBZA
S
S
Social Media For AI Bots
Replies
0
Views
279
Security Now Podcast
spidysense
S
D
Corraling AI is futile
Replies
0
Views
714
Security Now Podcast
dusanmal
D
Jamie Cox
If Blocking Ads is a Copyright violation...
Replies
16
Views
6K
Security Now Podcast
peterblaise
peterblaise
Top Bottom
Back