Timeline for Why don't some open source libraries provide binaries?
Current License: CC BY-SA 3.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 17, 2011 at 21:57 | comment | added | user8709 | Source code can be tampered with (kinda what "Open Source" is for), and in the real world, few users do thorough source code audits. When programmers added "back door" security holes, for example, they were added to the source, not the binary. Ken Thompsons classic paper "reflections on trusting trust" also has some interesting points to make about the (in)validity of the built-from-source = safe myth. For getting clean sources, solutions are typically the same as for clean binaries - check the MD5 hash or whatever. Oh - and don't let Ken Thompson anywhere near your compiler. | |
| May 17, 2011 at 21:22 | comment | added | CodesInChaos | Open source projects offer their source by definition. So I understand the OP's question as "Why don't they offer binaries in addition to the source?" and not as "Why don't they offer binaries instead of the source?" | |
| May 17, 2011 at 21:15 | comment | added | Rob Raisch | Interesting that you seem hell-bent on misinterpreting my comments as I did not attempt to provide "a reason for not providing binaries." I simply provided an explanation for why open-source projects are typically distributed as source code. Thanks for playing but this is my last comment on this. | |
| May 17, 2011 at 21:03 | comment | added | CodesInChaos | Downloading a modified binary is a risk to the user. And the user mitigates the risk for himself. The developer knows his binary is clean because he built it himself(unless the server got hacked, but then he has a bigger problem anyways). And the studying/modifying part is just as possible if you distribute a binary in addition to the source. So neither of your arguments shows an advantage for the creator of the product if he doesn't provide a binary. So I don't see anything it your answer giving a reason for not providing binaries. | |
| May 17, 2011 at 20:39 | comment | added | Rob Raisch | Funny, I don't see the word 'user' in either my answer or the original question. Perhaps I'm reading my own answer incorrectly? | |
| May 17, 2011 at 20:36 | comment | added | CodesInChaos | But you're arguments are on why it's better for the user that he gets the source and not the binaries. | |
| May 17, 2011 at 19:17 | comment | added | Rob Raisch | True, but the OP asked why open-source projects aren't typically distributed as binaries, not "as a user, why do I have to compile all this stuff?" ;-) | |
| May 17, 2011 at 19:12 | comment | added | CodesInChaos | For applications >90% of the users will never even look at the source. And the risk of manipulation is something most downloaders of binaries are willing to take. They can't (and even if they could they'd be too lazy) to verify that a sourcecode doesn't contain malicious code. | |
| May 17, 2011 at 18:45 | history | answered | Rob Raisch | CC BY-SA 3.0 |