[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libreplanet-discuss] How to verify a GPL binary - practically?
|
From: |
Jamie Hale |
|
Subject: |
[libreplanet-discuss] How to verify a GPL binary - practically? |
|
Date: |
Tue, 28 Jun 2016 19:50:30 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.8.0 |
Forgive me if this has been asked before.
I've purchased a copy of "ethOS", a GNU/Linux distribution that comes
ready to mine ether, the cryptocurrency that backs the Ethereum network.
The mining program bundled, ethminer, is distributed GPL.
The distro owner claims that no modifications have been made to
ethminer, that he compiled from a certain label in a public repo.
Because of the possibility of backdooring the software and stealing
private keys, I want to confirm his statement. (Note: I am in no way
accusing him of doing anything like that! Just performing due diligence!)
... but I can't think of a way to do it.
It looks like my only option to be safe is to download the same source
and compile it on my own and *not* use his. And hope it works even
though it's not the binary he's tested with.
(I can't think of a way to reproduce a binary with the identical hash
without having access to the original build environment. Too many things
would have changed.)
Is there another option I've overlooked?
J
- [libreplanet-discuss] How to verify a GPL binary - practically?,
Jamie Hale <=