pull down to refresh

Why it's hard to trust software, but you mostly have to anywayeducatedguesswork.org/posts/ensuring-software-provenance
71 sats \ 2 comments \ @cyphercosmo 4 Jan devs

Core Problem

Software users must trust vendors despite security risks, with limited practical ways to verify software integrity and security.

Key Verification Methods

  • Code signing & package verification
  • App store distribution & controls
  • Binary transparency systems
  • Source code review & reproducible builds

Major Challenges

  • Source review is impractical due to code volume and complexity
  • Reproducible builds are technically difficult
  • Supply chains involve multiple trust points
  • Targeted attacks are hard to detect
  • Verification tools themselves require trust

Current Reality

While some security measures exist (open source, reproducible builds, binary transparency), complete elimination of trust in software vendors remains impossible. Users must ultimately trust some combination of:
  • Software vendors
  • Operating system providers
  • App store operators
  • Package managers
  • Hardware manufacturers
write
preview
related posts
21 sats \ 1 reply \ @SwearyDoctor 4 Jan
code signing and verification is useless when you think the danger is the software company, like Microsoft. It'll have the surveillance crap in the checksum anyway. Microsoft scares me a lot more than any virus scammer.
reply
21 sats \ 0 replies \ @cyphercosmo OP 4 Jan
That's why we need to move away from walled gardens and help others understand it as well.
reply