For people who do this, is the purpose to ensure you are not getting a bad binary which has some malicious code compiled in?
If yes, isn’t it more difficult to check all the source code yourself? You may as well trust a binary where the author has confirmed a hash of the binary. Unless you really are checking every single line of source code. But then I wonder how you get anything else done.
The incident from xz gives a good example of where self-compiling stuff would be a good idea.
The code was mostly fine, but the maintainer managed to include malicious instructions in the binary. Most people who read the source, didn’t realise the possibility. I checked it out afterwards and it was still hard to get.
The idea is that someone is checking the code. And by building it yourself, you can at least ensure that you’re getting what’s built from the code. It is possible that some malicious stuff was inserted while building the binary that doesn’t show up in the source code. Building from source solves that problem.
Reproducible builds try to solve that problem by generating some provenance from a third party. A middle ground can be building the binary using something like GitHub Actions, since that can be audited by others. That comes with its own can of worms since GH is owned by M$, but I digress.
So it is technically sane to do it, just not very practical in my view. But for lesser known apps, I do sometimes build from source.
For people who do this, is the purpose to ensure you are not getting a bad binary which has some malicious code compiled in?
If yes, isn’t it more difficult to check all the source code yourself? You may as well trust a binary where the author has confirmed a hash of the binary. Unless you really are checking every single line of source code. But then I wonder how you get anything else done.
The incident from
xzgives a good example of where self-compiling stuff would be a good idea.The code was mostly fine, but the maintainer managed to include malicious instructions in the binary. Most people who read the source, didn’t realise the possibility. I checked it out afterwards and it was still hard to get.
The idea is that someone is checking the code. And by building it yourself, you can at least ensure that you’re getting what’s built from the code. It is possible that some malicious stuff was inserted while building the binary that doesn’t show up in the source code. Building from source solves that problem.
Reproducible builds try to solve that problem by generating some provenance from a third party. A middle ground can be building the binary using something like GitHub Actions, since that can be audited by others. That comes with its own can of worms since GH is owned by M$, but I digress.
So it is technically sane to do it, just not very practical in my view. But for lesser known apps, I do sometimes build from source.