This is called reproducible builds. With this all builds of a version will be binary-identical. So you can build from the repo and the compare it with the appstore binary and see if the owner was honest.
Comment on Lawsuit Alleges That WhatsApp Has No End-to-End Encryption
phtheven@lemmy.world 1 day agoBy this logic, can we trust any open source software, even if they claim to use some third party encryption? They could say they’re using a super secure encryption, even show it implemented in their open source code base, then just put the other, secret evil backdoor code base in production? Is there a way for any open source project to prove that the code in their open source repo is the code in production?
BlueKey@fedia.io 1 day ago
phtheven@lemmy.world 1 day ago
I found this:
github.com/signalapp/Signal-Desktop/…/README.md
Looks like they’re working on reproducibility, at least in the desktop app. That’s a little disappointing but i guess I’m happy they’re working on it.
phtheven@lemmy.world 1 day ago
Neat! And can this been done with signal or proton?
BlueKey@fedia.io 15 hours ago
Signal: https://github.com/signalapp/Signal-Android/blob/main/reproducible-builds/README.md
Proton: didn't find anything (but I just did a quick lookup)
BoJackHorseman@lemmy.world 1 day ago
If you can self host it, yes. Like matrix
squidie@feddit.org 1 day ago
But only if you self-host right? Otherwise who ever hosts the matrix instance can tinker with it.
BoJackHorseman@lemmy.world 1 day ago
Correct.
phtheven@lemmy.world 1 day ago
In the end i have to choose between some shady company or some guy with a homelab. I guess I’ll choose the one who isn’t financially incentivized to screw me over.