The Software Trust Crisis: Why We Have to Trust Software (Mostly)
2024-12-31
This article explores the difficult problem of trusting software. The author argues that even secure messaging apps rely on trust in the vendor; the sheer volume of code in open-source software makes review impractical; code signing verifies integrity but relies on user diligence and is easily circumvented. The article delves into vulnerabilities in the software supply chain, including code signing, blocklisting, auto-updates, and package managers. It introduces techniques like reproducible builds and binary transparency to enhance software trust, but ultimately concludes that this is a far-from-solved problem, leaving us with the uncomfortable reality of having to trust software vendors.