Can I rely on these GitHub repository files?












18















I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure?



I've already analyzed that in VirusTotal without any issues, but I don't have the expertise to decompile and read the output, and I've previously executed the binary provided without thinking about the risks.










share|improve this question









New contributor




mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 3





    If you're able to compile from source, then just use your computer version.

    – Daisetsu
    yesterday






  • 14





    It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

    – PTwr
    23 hours ago






  • 1





    There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

    – apsillers
    19 hours ago








  • 1





    How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

    – Johnny
    10 hours ago
















18















I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure?



I've already analyzed that in VirusTotal without any issues, but I don't have the expertise to decompile and read the output, and I've previously executed the binary provided without thinking about the risks.










share|improve this question









New contributor




mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 3





    If you're able to compile from source, then just use your computer version.

    – Daisetsu
    yesterday






  • 14





    It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

    – PTwr
    23 hours ago






  • 1





    There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

    – apsillers
    19 hours ago








  • 1





    How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

    – Johnny
    10 hours ago














18












18








18


2






I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure?



I've already analyzed that in VirusTotal without any issues, but I don't have the expertise to decompile and read the output, and I've previously executed the binary provided without thinking about the risks.










share|improve this question









New contributor




mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I recently found the GitHub repository https://github.com/userEn1gm4/HLuna, but after I cloned it I noted that the comparison between the file compiled (using g++) from source, HLuna.cxx, and the binary included in the repository (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure?



I've already analyzed that in VirusTotal without any issues, but I don't have the expertise to decompile and read the output, and I've previously executed the binary provided without thinking about the risks.







reverse-engineering c++ github






share|improve this question









New contributor




mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









Peter Mortensen

70049




70049






New contributor




mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









mcruz2401mcruz2401

9615




9615




New contributor




mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






mcruz2401 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 3





    If you're able to compile from source, then just use your computer version.

    – Daisetsu
    yesterday






  • 14





    It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

    – PTwr
    23 hours ago






  • 1





    There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

    – apsillers
    19 hours ago








  • 1





    How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

    – Johnny
    10 hours ago














  • 3





    If you're able to compile from source, then just use your computer version.

    – Daisetsu
    yesterday






  • 14





    It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

    – PTwr
    23 hours ago






  • 1





    There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

    – apsillers
    19 hours ago








  • 1





    How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

    – Johnny
    10 hours ago








3




3





If you're able to compile from source, then just use your computer version.

– Daisetsu
yesterday





If you're able to compile from source, then just use your computer version.

– Daisetsu
yesterday




14




14





It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

– PTwr
23 hours ago





It takes lots of effort for builds to be reproducible (deterministic) due to nature of legacy tools (because no one cared about that in past). Debian is trying to be deterministic since 2014, still not done :)

– PTwr
23 hours ago




1




1





There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

– apsillers
19 hours ago







There is a relevant post (full disclosure: mine) on OpenSource.SE with several helpful links about deterministic and non-deterministic builds: Is there any way to assert that source code corresponds to compiled code?

– apsillers
19 hours ago






1




1





How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

– Johnny
10 hours ago





How do you know you can trust the source code in the repo? Do you audit every single line of code? (the 175 line source code file you linked to is small enough that you can audit it, but if it were 10,000 or 100,000 lines of code, is the source code any safer than the published binaries?)

– Johnny
10 hours ago










3 Answers
3






active

oldest

votes


















17














Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516                         | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
> GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
> gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado!                                           <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$|
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$|
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$|
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$|
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$|
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$|
* ---------------------------------------------- * ----------------------------------------------
> -------------------
> Diccionario creado!
> MENU
> 1. Generador de Diccionarios
> 0. Salir
> /***
> * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.






share|improve this answer








New contributor




Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    16 hours ago











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    10 hours ago











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    5 hours ago











  • Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    1 hour ago





















51














Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.






share|improve this answer



















  • 32





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    yesterday






  • 40





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    yesterday






  • 1





    Reproducible builds solve this problem.

    – forest
    23 hours ago



















1














If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.






share|improve this answer



















  • 3





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    16 hours ago






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    15 hours ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






mcruz2401 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206000%2fcan-i-rely-on-these-github-repository-files%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









17














Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516                         | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
> GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
> gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado!                                           <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$|
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$|
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$|
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$|
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$|
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$|
* ---------------------------------------------- * ----------------------------------------------
> -------------------
> Diccionario creado!
> MENU
> 1. Generador de Diccionarios
> 0. Salir
> /***
> * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.






share|improve this answer








New contributor




Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    16 hours ago











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    10 hours ago











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    5 hours ago











  • Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    1 hour ago


















17














Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516                         | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
> GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
> gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado!                                           <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$|
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$|
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$|
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$|
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$|
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$|
* ---------------------------------------------- * ----------------------------------------------
> -------------------
> Diccionario creado!
> MENU
> 1. Generador de Diccionarios
> 0. Salir
> /***
> * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.






share|improve this answer








New contributor




Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    16 hours ago











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    10 hours ago











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    5 hours ago











  • Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    1 hour ago
















17












17








17







Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516                         | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
> GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
> gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado!                                           <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$|
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$|
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$|
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$|
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$|
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$|
* ---------------------------------------------- * ----------------------------------------------
> -------------------
> Diccionario creado!
> MENU
> 1. Generador de Diccionarios
> 0. Salir
> /***
> * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.






share|improve this answer








New contributor




Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










Polynomial tells you what may happen, and how to solve it. Here I will illustrate it:



I ran both binaries through strings and diffed them. That enough shows some completely harmless differences, in particular, the compiler used:



GCC: (Debian 6.3.0-18) 6.3.0 20170516                         | GCC: (GNU) 8.2.1 20181105 (Red Hat 8.2.1-5)
> GCC: (GNU) 8.3.1 20190223 (Red Hat 8.3.1-2)
> gcc 8.2.1 20181105


Some of the private names used are also different:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEOS4_@ | _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSERKS4_


And some sections seem to be shuffled, so the diff cannot match them exactly.



Even on the same computer, without optimisation and -O3 shows different files:



_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendE | _ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED2Ev


Even shuffling of internal data:



Diccionario creado!                                           <
MENU <
1. Generador de Diccionarios <
0. Salir <
/*** <
* $$| |$$ |$$| <
* $$| |$$ |$$| * $$| |$$ |$$|
* $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$| * $$| |$$ |$$| $$| |$$ |$$$$$$| |$$$$$$|
* $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$| * $$$$$$$$ |$$| $$| |$$ |$$ __ $$| ____$$|
* $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$| $$| |$$ |$$| |$$| $$$$$$$|
* $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$| * $$| |$$ |$$|___ $$|_|$$ |$$| |$$| $$___$$|
* $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$| * $$| |$$ |$$$$$$$| $$$$$ |$$| |$$| $$$$$$$|
* ---------------------------------------------- * ----------------------------------------------
> -------------------
> Diccionario creado!
> MENU
> 1. Generador de Diccionarios
> 0. Salir
> /***
> * $$| |$$ |$$|



This proves that differing binary files raises many false positives, and doesn't tell you anything about is safety.



In this case, I'd use the version compiled by myself because you have no way to know what version is uploaded, as the author may have forgotten to recompile before the last tweaks.







share|improve this answer








New contributor




Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this answer



share|improve this answer






New contributor




Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









answered 23 hours ago









DavidmhDavidmh

28615




28615




New contributor




Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Davidmh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    16 hours ago











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    10 hours ago











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    5 hours ago











  • Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    1 hour ago
















  • 7





    I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

    – Toby Speight
    16 hours ago











  • @TobySpeight good point, I shall investigate and correct.

    – Davidmh
    10 hours ago











  • …and even a honest author might be unknowingly infected by some malware.

    – spectras
    5 hours ago











  • Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

    – Kevin
    1 hour ago










7




7





I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

– Toby Speight
16 hours ago





I don't think those are different names - what's actually happened is that when the immediately adjoining data are printable, strings grabs slightly more text. nm might be a better tool for extracting identifiers.

– Toby Speight
16 hours ago













@TobySpeight good point, I shall investigate and correct.

– Davidmh
10 hours ago





@TobySpeight good point, I shall investigate and correct.

– Davidmh
10 hours ago













…and even a honest author might be unknowingly infected by some malware.

– spectras
5 hours ago





…and even a honest author might be unknowingly infected by some malware.

– spectras
5 hours ago













Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

– Kevin
1 hour ago







Protip/warning: GNU Strings was at one point vulnerable to arbitrary code execution if used on a malicious file. So it may be wise to avoid running it on untrusted files, just in case.

– Kevin
1 hour ago















51














Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.






share|improve this answer



















  • 32





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    yesterday






  • 40





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    yesterday






  • 1





    Reproducible builds solve this problem.

    – forest
    23 hours ago
















51














Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.






share|improve this answer



















  • 32





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    yesterday






  • 40





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    yesterday






  • 1





    Reproducible builds solve this problem.

    – forest
    23 hours ago














51












51








51







Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.






share|improve this answer













Compilation is not a directly verifiable deterministic process across compiler versions, library versions, operating systems, or a number of other different variables. The only way to verify is to perform a diff at the assembly level. There are lots of tools that can do this but you still need to put the manual work in.







share|improve this answer












share|improve this answer



share|improve this answer










answered yesterday









PolynomialPolynomial

101k32249342




101k32249342








  • 32





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    yesterday






  • 40





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    yesterday






  • 1





    Reproducible builds solve this problem.

    – forest
    23 hours ago














  • 32





    Even that isn't going to be reliable across optimization levels.

    – chrylis
    yesterday






  • 40





    Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

    – Jörg W Mittag
    yesterday






  • 1





    Reproducible builds solve this problem.

    – forest
    23 hours ago








32




32





Even that isn't going to be reliable across optimization levels.

– chrylis
yesterday





Even that isn't going to be reliable across optimization levels.

– chrylis
yesterday




40




40





Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

– Jörg W Mittag
yesterday





Even if the compiled object code is 100% identical, there may still be timestamps in the executable file's metadata which cause the resulting binaries to differ even though the code is identical.

– Jörg W Mittag
yesterday




1




1





Reproducible builds solve this problem.

– forest
23 hours ago





Reproducible builds solve this problem.

– forest
23 hours ago











1














If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.






share|improve this answer



















  • 3





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    16 hours ago






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    15 hours ago
















1














If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.






share|improve this answer



















  • 3





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    16 hours ago






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    15 hours ago














1












1








1







If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.






share|improve this answer













If the software is exactly the same at source level, then the question boils down to whether you can trust your compiler, system libraries and various utilities which are used during compilation. If you installed your toolchain from a trusted source and you trust your computer wasn't compromised meanwhile, then there's no reason to suspect that the binary file that you generated will be malicious, even if it differs from the "reference" build.







share|improve this answer












share|improve this answer



share|improve this answer










answered 18 hours ago









Dmitry GrigoryevDmitry Grigoryev

7,6462144




7,6462144








  • 3





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    16 hours ago






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    15 hours ago














  • 3





    Of course, Ken Thompson may disagree.

    – Jörg W Mittag
    16 hours ago






  • 1





    @JörgWMittag If you can't trust trust, who can you trust?

    – apsillers
    15 hours ago








3




3





Of course, Ken Thompson may disagree.

– Jörg W Mittag
16 hours ago





Of course, Ken Thompson may disagree.

– Jörg W Mittag
16 hours ago




1




1





@JörgWMittag If you can't trust trust, who can you trust?

– apsillers
15 hours ago





@JörgWMittag If you can't trust trust, who can you trust?

– apsillers
15 hours ago










mcruz2401 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















mcruz2401 is a new contributor. Be nice, and check out our Code of Conduct.













mcruz2401 is a new contributor. Be nice, and check out our Code of Conduct.












mcruz2401 is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206000%2fcan-i-rely-on-these-github-repository-files%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029