I find it's much easier to audit the source code, and build the binaries yourself from that code.
Also, it's a collaborative effort. If you build your binaries from the same sources that other people use, then you can split up the work, and you all benefit from anyone's discoveries.
Obviously, we don't have perfect verification of the code we run. People can overlook things. Compilers can be subverted. Operating systems can be pwned. Malicious hardware can undermine all of our efforts. But let's not let perfect be the enemy of good, and let's not fool ourselves into thinking that faith in a corporation is a substitute for transparency.
I was rather under the impression that checking in binaries was discouraged because it led to performance issues and tends to blow up the repository size. I don't think it's just pedantry.
Bytecode / binaries can be verified (for certain properties) using static analysis. Open source doesn't make verficiation that much easier (at scale), but it makes fixing a lot easier.
Also, until reproducible builds become commonplace, most linux users can't verify that their binaries come from a specific version of the source. Binary verification is the way to go.
I doubt you verify every bit of binaries you download.
Open source gives you the possibility of knowing your binary is good, by compiling it yourself. I chose not to do so, because I couldn't really be bothered. But others who need this kind of security could, and I would hope they do.
That only checks that binaries are the same as what is published by distributors.
It doesn't help against a malicious distributor, unless package managers also do a deterministic build themselves and verify that checksum from self-build binary matches the checksum published by a distributor.
That's fine. I don't care what you do with your self-built binaries once you manage to build them yourself. But too many firms have no infrastructure in place to do that. They wait for upstreams to synchronize to fix security flaws that they could fix directly.
reply