Ask HN: Why don't we create checksum for source code?

1 点作者 franzwong超过 4 年前

Suppose a developer puts the source code of an App in Github, so that we can review the source code to ensure it is securely safe for users. I know we create checksum for the binaries. But how can we know the App in App store is built from the source code in Github?

3 条评论

bloak超过 4 年前

<a href="https://en.wikipedia.org/wiki/Reproducible_builds" rel="nofollow">https://en.wikipedia.org/wiki/Reproducible_builds</a> ?

remexre超过 4 年前

<a href="https://nixos.org/" rel="nofollow">https://nixos.org/</a> and <a href="https://guix.gnu.org/" rel="nofollow">https://guix.gnu.org/</a> are both angling to do this, but... it's hard.

smt88超过 4 年前

The majority of useful software will not build into identical binary files each time.<p>If you trust the source code, it's usually easy enough to build a mature FOSS app yourself.