3

When downloading compiled binaries for programs it is very important to check GPG signatures, Authenticode, hashes, etc.

However, I often see people who say that compiling the code from source is the most secure way.

If they have read and understood every single line of code, then I can see how this would be the case.

However, for projects like Chromium or the Linux Kernel, I highly doubt that anybody in the world has read every single line. Even if they did read every single line, a backdoor can be as small as one character, so they'd better have read it damn accurately.

Is compiling from source really more secure than downloading the unverified binaries?

rubberband876
  • 173
  • 5

1 Answers1

8

It's harder to hide a backdoor in source code than in a binary. Someone could easily add a bunch of code before compiling a binary, but leave the extra code unpublished. If you build it yourself, then you can be fairly confident (outside of a compromised compiler, or network commands in the makefile) that the code you downloaded actually reflects what is in the binary.

In theory, at some point in time every line of code in Chromium, Linux, Firefox, etc. has been looked at by at least one person. Furthermore someone definitely looks at every change made. If the source code was ever non-malicious, it would be difficult to make it malicious.

I doubt very much that someone has disassembled the binary executable and matched up the assembly to the source code. It would be comparably easy to add malicious behavior to a distributed binary file with nobody being the wiser, especially if builds are not reproducible.

Ben
  • 3,846
  • 1
  • 9
  • 22