Hacker News new | past | comments | ask | show | jobs | submit login

But that point applies to binary distribution outside an app store as well. How can you know that the binary linked from a GitHub repository is built from the same source?



The os can tell you a checksum in the settings page or before installing.

Or you can build from source and confirm on your own.


What’s the point of downloading the binary if you’re going to compile from source yourself anyways?

Is the expectation that only a few users (watchdogs) do this and everyone else benefits from the extra validation?


That model has been proven for cryptocurrency, hasn't it? As long as you have enough validators, you don't need everyone to spend the considerable resources it takes to validate (or in this case, build from source).

Right now the Apple model is "trust that the Apple employee who glanced at this for 15 minutes spotted any problems".


How do you know the source hasn’t been tampered with, or outright backfired by the author?

I don’t think any distribution mechanism will solve the “how can I trust these bytes I got from the internet” problem.


Ideally the source is readable, though reality falls short of that for most projects.

For example, I didn’t realize I liked C until Redis. Now I’ve found a handful of C programs that I’d put into the “readable by non-C devs” bucket, like i3 and the suckless collection.

Most build tools also are a disaster from the perspective of giving end users agency over their software. Automake, make, etc are often cryptic magic to non-practitioners. Like C, they can be made readable but most aren’t.

KISS Linux falls into this bucket of “grokable” as well, it’s minimal and the process of going from source to distribution is easy to understand. Many stock distributions are so complicated I don’t think the average tech-savvy human has any hope of truly understanding what their system is doing in a single lifetime.


That's why I prefer distro-built packages over upstream binaries wherever possible. It greatly reduces the number of build and distribution platforms that I have to trust.


With reproducible builds (and as long as the distribution doesn't need to maintain any patches vs. upstream), this could even provide the best of both worlds: Verifiable hashes (comparable with upstream and other distributions) and a smaller set of trusted entities.

On the other hand, I'm not sure I'd necessarily trust a small open-source distribution's maintainers more than a widely used password manager's developers; I think I'd prefer my root of trust to be whatever has more users (and by proxy, hopefully scrutiny).


Or source-based distros (and equivalently source-based distros with reproducible builds & a binary cache of build artifacts with a package manager that checks the resulting hash matches the expected value).

Of course source can still be compromised, say by malicious dependencies. But it's better than source and binaries being compromisable.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: