Security
It is NEVER a good idea to install random binaries from random sources.
Last updated
Was this helpful?
It is NEVER a good idea to install random binaries from random sources.
Last updated
Was this helpful?
The amount of work and the near impossibility to ensure that every source used, provide reproducibility, is infeasibly impractical. Even if it were practical, not every pkg/tool
provides source code, so this is impractical.
Since, the builds aren't reproducible, it's unlikely you will end up with the same checksums if you rebuild/rerun the Build Script
Repos that already publish pre-compiled binaries/packages, . You can compare checksums.
Fork our repos, read & audit our code, setup all the infrastructure, & run all the scripts & build on your own servers
Second, check the affected Binary's Build Script, the latest BUILD.log & finally CHECKSUMS as described in above sections.
Third, if you find everything is as it should be, create an Issue & attach Verifiable and Reproducible Proof.
Once again, to reiterate, the source code of the packages or tools compiled here is not controlled in any way.
It cannot be guaranteed that the upstream source is entirely safe or legitimate. It's upto you to exercise basic common sense and vigilance when using these binaries/packages.
Check the Package Page & Look for Build Log :
If you get a 404 or it errors out, you can get the full logs here:
You can use to verify any of our artifacts using the Public Key:
All our CI workflows produce attestations for all of the artifacts:
Devscripts:
Dockerfiles:
For , Debug Symbols, Comments are stripped, this will change the checksum
For , Icons, Desktops (& even repacking) are edited/fixed & patched, this will change the checksum
Follow this guide to analyze a malicious binary/package:
First, it's important to verify that the alert is and truly confirm that indeed the
It's important to NOTE that WE DO NOT WRITE/OWN the binaries we compile and CAN NOT BE HELD RESPONSIBLE if the Developer has DELIBERATELY made it Malicious. If that's the case, it's best to Notify Us (Create an Issue OR ) & also like here:
All the follow to mitigate , so a single Malicious Binary is more probable than ALL the binaries being infected.