Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
randunel 8 hours ago

How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?

endsandmeans 8 hours ago | parent | next [-]

I agree but let me play the devil's advocate. I'll channel Stallman:

Same argument can be applied to all closed source software.

In the end its about who you trust and who needs to be verified and that is relative, subjective, and contextual... always.

So unless you can read the source code and compile yourself on a system you built on an OS you also built from source on a machine built before server management backdoors were built into every server... you are putting your trust somewhere and you cannot really validate it beyond wider public percetptions.

anonymars 7 hours ago | parent [-]

Don't forget to channel Ken Thompson ("Reflections on Trusting Trust") -- you can read the source code, but where did you get the compiler?

fsflover 6 hours ago | parent [-]

This can be mitigated by Bootstrappable builds: https://news.ycombinator.com/item?id=41368835

insin 8 hours ago | parent | prev | next [-]

CRX Viewer is handy for quickly checking what's been published:

https://robwu.nl/crxviewer/

nickjj 8 hours ago | parent | prev | next [-]

> How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?

Extensions are local files on disk. After installing it, you can audit it locally.

I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it.

On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone.

Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.

AJ007 5 hours ago | parent [-]

Extensions are trivial unless they have to run external software or services. Download the extension, extract the source, audit it with a good thinking model and either strip out all third party URLs/addresses or have the agent clone the functionality you want.

oj-hn-dot-com 3 hours ago | parent | prev | next [-]

The open source one automatically publishes to the Chrome Store from GH actions so that there is no human involvement in the deployment process.

I'm currently in the process of setting that up for the one I'm building, because this transparency is very important to me) and it is a pain in the butt to do so. You have to go through a few verification processes at Google to get the keys approved.

pbhjpbhj 7 hours ago | parent | prev | next [-]

I'm running Uniget on Win11 and this is my worry there. Provenance of installs vs the actually released files.

fn-mote 8 hours ago | parent | prev | next [-]

This kind of nihilistic comment doesn’t do anything for me.

There’s always a possibility of problems along the chain. You are reducing your risk not eliminating it.

chrisjj 6 hours ago | parent [-]

> This kind of nihilistic comment doesn’t do anything for me.

Got to say, mischaracterising a neutral question as a nihilistic comment doesn't do anything for me.

pezgrande 7 hours ago | parent | prev [-]

I wish we had something like "source hash" available in all repositories.