How can users confidently verify that a FOSS application is running from its published source code? Is there a easy way to check this, or is this based of checksum and hashes?

  • aurtzy@discuss.tchncs.de
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    You might find The Full-Source Bootstrap: Building from source all the way down by some of the GNU Guix maintainers of interest to read, which discusses how Guix is attempting to solve the “trusting trust” attack some have mentioned here.

    Although I haven’t used it myself yet, Guix actually has a feature that lets you “challenge” the build servers to see if your builds match the pre-built binaries (the command being aptly named guix challenge).

    • theshatterstone54@feddit.uk
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Do you use Guix? I’ve found it quite interesting and I’d love to try it out one day. The thing is, I need the mainline Linux kernel for some proprietary drivers.

      • aurtzy@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I do!

        For starters, you’re not required to install Guix System in order to use the Guix package manager itself; the manual provides instructions for installing it on top of your existing system here if you want to use it but not fully commit (you can do this with Nix too).

        Guix allows for adding new sources to pull packages from using channels. The nonguix channel provides the Linux kernel - blobs and all - as well as other stuff that won’t be upstreamed, like Steam and NVIDIA drivers.

        I recommend this helpful series by System Crafters, which includes a few guides on installing Guix and Guix System with the full Linux kernel.