One of the most held-up reasons for why open source is good, is something along the lines of
"1000s of smart people have reviewed the code to make sure there are no security/privacy issues"
And I agree ... but:
The vast majority of us ignore the "download source code" link and just go for the already-compiled executable.
How can I be sure that the executable was compiled with the same source code that the 1000s of smart people reviewed?
A service like VirusTotal for source code could compile the source code and compare the result to the executable on the site.
Of course, compiling something like Firefox takes quite a while, so I guess some kind of hashing would be required.
And now I ask the 1000s of smart listeners to SN:
1. is this an issue?
2. are there solutions?
"1000s of smart people have reviewed the code to make sure there are no security/privacy issues"
And I agree ... but:
The vast majority of us ignore the "download source code" link and just go for the already-compiled executable.
How can I be sure that the executable was compiled with the same source code that the 1000s of smart people reviewed?
A service like VirusTotal for source code could compile the source code and compare the result to the executable on the site.
Of course, compiling something like Firefox takes quite a while, so I guess some kind of hashing would be required.
And now I ask the 1000s of smart listeners to SN:
1. is this an issue?
2. are there solutions?