undefined | Better HN

0 pointsxenonite12y ago0 comments

Even more than that, if one wants to insert backdoors in OOS, one could easily do that getting barely noticed.

A program might be open source, still the binaries offered for download might be compromised. Who is able to notice that now?

You might compile the software yourself, but the majority of users wont.

You might have reverse engineered a closed source software, but I guess you won't do that for the OSS binaries.

0 comments

omegant12y ago

Honest question: if the source code is compiled with the same compiler (although different computer), will it give a different binary with a different hash?

MaulingMonkey12y ago

Even compiling the source code with the same compiler, same build options, and same computer will generally generate a different binary with a different hash! Special effort is required to generate "deterministic builds", sometimes seen for e.g. verifying the integrity of gambling software. Here's what one fellow has been going through in an effort to accomplish that:

http://stackoverflow.com/questions/1180852/deterministic-bui...

FedRegister12y ago

Potentially yes if the compiler is not configured (at build time) with the same options and the same optimization levels are not used when building the source.

j / k navigate · click thread line to collapse