Is there a VirusTotal for source code?

  • SpinRite v6.1 is Released!
    Guest:
    That's right. SpinRite v6.1 is finished and released. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Announcing “BootAble” – GRC's New Boot-Testing Freeware
    Please see the BootAble page at GRC for the whole story.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


mappo

Member
Sep 25, 2021
14
1
Sweden
One of the most held-up reasons for why open source is good, is something along the lines of
"1000s of smart people have reviewed the code to make sure there are no security/privacy issues"

And I agree ... but:
The vast majority of us ignore the "download source code" link and just go for the already-compiled executable.
How can I be sure that the executable was compiled with the same source code that the 1000s of smart people reviewed?

A service like VirusTotal for source code could compile the source code and compare the result to the executable on the site.
Of course, compiling something like Firefox takes quite a while, so I guess some kind of hashing would be required.

And now I ask the 1000s of smart listeners to SN:
1. is this an issue?
2. are there solutions?
 
The vast majority of us ignore the "download source code" link and just go for the already-compiled executable.
I often wonder the same thing when the argument is made that open source is safer. Of the millions and millions of lines of open source code, how much is actually peer reviewed?
 
A great many projects build their binaries out in the public in the same way that they share their code publicly. Of course they rely on other binary tools, which you have to hope were built without a hidden agenda themselves. There seems to be a great need for trust in the industry... and it's unclear how much trust is well placed. Not that everyone is bad, because I think a majority are not, but a lot of corners do get cut, and not every developer is a star in his or her field. Potential security vulnerabilities could be created by a less than competent developers who do not get the necessary helpful code reviews and encouragement to do better.
 
A great many projects build their binaries out in the public in the same way that they share their code publicly. Of course they rely on other binary tools, which you have to hope were built without a hidden agenda themselves. There seems to be a great need for trust in the industry... and it's unclear how much trust is well placed. Not that everyone is bad, because I think a majority are not, but a lot of corners do get cut, and not every developer is a star in his or her field. Potential security vulnerabilities could be created by a less than competent developers who do not get the necessary helpful code reviews and encouragement to do better.
Please elaborate on what "build their binaries out in the public" means. I've never heard that phrase before.

Still, it comes down to publishing (at least) two links on the project's site; one to the source code and one to the pre-compiled binary. What ways are there to guarantee that the latter is the result of the former?
 
Please elaborate on what "build their binaries out in the public"
Some sites, like Github, have a build tool that you can invoke to build your public binaries from your public source. The binaries should thus be assured to represent the source code, assuming you're willing to trust the tools employed are not back-doored (for example, there is the theory of a compiler backdoored to inject mal-code into a binary as it's being compiled: reference)
 
  • Like
Reactions: mappo
That's really interesting. I had no idea, thanks!
So generally (very generally), projects on github are more reliable (at least in this very specific aspect) than those that roll their own website.

The issue of malicious compilers is separate and not specific to open source imhbco*.

But I still wonder about a VirusTotal-like service for code. Are there any such tools, or has Github solved it?


*in my humble but correct opinion :sneaky: