Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

I can edit binaries too.

The question is am I provided the build source that constructed these files. Mistral did not hand edit these files to construct them, there's source out there that built them.

Like, come on, a 14GB of a dump of mainly numbers that were constructed algorithmically are not "source".

reply



sort by: page size:

In some sense aren't binaries modified versions of the source?

reply


Unless you are reviewing the source of everything and compiling it all yourself, then you're executing someone else's binary.

reply


And what would having the source code change?

Unless you host the data yourself, if you don't trust Wuala there is no guarantee the binaries you use are built from the source code you have.

reply


I compile my own binaries. Not too bad actually.

reply


Did you read all those lines yourself? Did you even confirm checksums matched before running them?

I think that's the parent's point. You can build from source, but how do you trust the source? Is it any more egregious to trust a prebuilt binary from a specific website than it is the raw source? If you can't trust the binary being hosted by the author/caretaker, can you really trust the source being hosted or maintained by the author/caretaker?

reply


Isn't the source code zipped up alongside the binaries?

reply


It's possible to modify binary executables; doesn't make them open-source.

reply


Do you build the binary from source?

reply


Again, not assuming you're evil, but it's possible that the compiled binary (.xpi) was not created from the source posted on the github account :)

reply


On a closed-source system, sure. On a system where you have the source, you have the option to rebuild your binaries.

reply


Yes, definitely source+build instructions should be uploaded rather than binaries.

You can still support proprietary software by just uploading the binaries as source (and maybe doing some build-process to adapt it to the packaging format)

reply


So they have you install a binary that you can't inspect the source to or build on your own? I'm confused.

reply


Sorry to be a pedant, but that doesn't mean the supplied binaries have been built with the exact source provided :^)

Also, the binaries are being offered for download over HTTP with no signatures.

reply


You can build and check against the binaries. What's your point?

reply


There would be no assurance that the binary is compiled from the source though.

reply


If you don't have the source that produced those binaries your only choice is to have them downloadable from somewhere else (which is a real hassle for the developer) or just check them into the repo.

reply


I understand this, I was just stating that

1. people should compile their own binary, since there is no easy way to know if you actually made only those edits in the provided binary (don't take it personally, really)

2. it's sad that Apple forked OpenSSH, since I can't have their integrations with a recent version

reply


> These binaries are provided by anyone

I don’t think this is true for macOS? the builds seem automated…

reply


They say the binaries are being made under Apache 2.

They don't say anything about the source code being published. That's why (to me) this is so interesting. I've never seen binaries released without source code before.

reply

next

Legal | privacy