5Tem
Is there a way to verify a binary against the sources?
It seems like there is no practical way to verify the full integrity path of precompiled and packaged software? I can check the downloaded package itself by hashes, but I have no verification if the compiled binaries really represent the public source code?
Is there not even a theoretical solution for this problem? In the best case a way that could be automated?
Maybe decompile it and compare the output or hashes of it with something the software provider offers?
