Author

Topic: Github Crypto sources (Read 246 times)

full member
Activity: 266
Merit: 100
July 14, 2017, 07:02:32 PM
#3
I don't think there's an actual way to know that for sure.  They can tell you that what they're distributing is a build of what's on their github.  You can build what's on their github.  You can download their binaries and then compare them with what you built but the difficulty is that you're unlikely to get a bitwise identical binary since you're probably not building with the same configuration/compiler/etc.  You can do a sort of "external" comparison on what you build and what they distribute by running tests against both.


On second read, you're actually asking if a binary in a repo is the same as a binary on a website: to do that, just download both of them and hash them then compare the hashes:

Code:
$ sha256sum file1.zip | cut -f 1 -d ' ' | diff <(sha256sum file2.zip | cut -f 1 -d ' ') -

The above just uses bash to run sha256sum against "file1.zip" and "file2.zip" and pipes each result to diff.  If they are not different you will see no output and $? will be 0.  If they are different, you'll see the two different hashes printed on the command line.  Note: if the above syntax is confusing or hard to replicate, you could always just compare hashes "by hand".

Thank you for the explanation very helpful, i will compare the hashes by "hand".
legendary
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
July 14, 2017, 11:43:39 AM
#2
I don't think there's an actual way to know that for sure.  They can tell you that what they're distributing is a build of what's on their github.  You can build what's on their github.  You can download their binaries and then compare them with what you built but the difficulty is that you're unlikely to get a bitwise identical binary since you're probably not building with the same configuration/compiler/etc.  You can do a sort of "external" comparison on what you build and what they distribute by running tests against both.


On second read, you're actually asking if a binary in a repo is the same as a binary on a website: to do that, just download both of them and hash them then compare the hashes:

Code:
$ sha256sum file1.zip | cut -f 1 -d ' ' | diff <(sha256sum file2.zip | cut -f 1 -d ' ') -

The above just uses bash to run sha256sum against "file1.zip" and "file2.zip" and pipes each result to diff.  If they are not different you will see no output and $? will be 0.  If they are different, you'll see the two different hashes printed on the command line.  Note: if the above syntax is confusing or hard to replicate, you could always just compare hashes "by hand".
full member
Activity: 266
Merit: 100
July 14, 2017, 10:33:22 AM
#1
Hi,

I would like to know if there is any chance to get an answer to the following question.

Are the Crypto sources in Github for example the one from MONERO is the zip file in the repo the actual source they use on their actual website?

Thanks
Jump to: