So if a group has made open source software, and the source code is available on github, and is bundled with an executable in their main download, can it be proven that the executable is compiled from the source code that is on github, and not modified source code (like adding a backdoor to the system that isn't on the github version)?
Is it as simple as compiling it yourself and comparing the hashes of both executables, or is there a flaw in that method?
