So I run Linux for a bit now but I am still not fully confident with downloading “random” Appimages or .tar archives (I don’t even know how to run/compile the archives but that is another problem lol) from Github or something.
I try to verify the hashes or GPG signatures for all the programs but not every developer provides a latest.yml.
I revently noticed sometimes Github shows a sha256 sum next to the files in the release tab but not in every repo and is this just a second layer or is this a substitution for the latest.yml?
Is there something I am missing or should I not worry too much when using Appimages or Flatpaks because they are sandboxed anyways?
You can’t exactly read code and determine it’s not malicious.
This is exactly why the rise of 0 width characters being used in malware is scary: Human readable source is not 1:1 with human verifiable behavior.
We’ve entered an arms race of “use automated tool. Review automated tools work. Used automated tool to review automated tools work. Review automated tool’s automated tool’s work…”
I am personally not going to start reading assembly.
Yeah, somewhere along the line you end up with a question of trust. “Do I trust the developer of this AppImage?”, “Do I trust the result of this automated tool that checks the code for malware?” or “Do I trust my IDE and myself when I downloaded the source and tried to verify it in my sandboxed VM?”.
My main point was that the hash doesn’t really tell you anything about the source, except whether you got an exact copy of it or not.