alt Hacker NewsHow do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?
Replies
CRX Viewer is handy for quickly checking what's been published:
> How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?
Extensions are local files on disk. After installing it, you can audit it locally.
I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it.
On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone.
Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.
I'm running Uniget on Win11 and this is my worry there. Provenance of installs vs the actually released files.
This kind of nihilistic comment doesn’t do anything for me.
There’s always a possibility of problems along the chain. You are reducing your risk not eliminating it.
I wish we had something like "source hash" available in all repositories.
I agree but let me play the devil's advocate. I'll channel Stallman:
Same argument can be applied to all closed source software.
In the end its about who you trust and who needs to be verified and that is relative, subjective, and contextual... always.
So unless you can read the source code and compile yourself on a system you built on an OS you also built from source on a machine built before server management backdoors were built into every server... you are putting your trust somewhere and you cannot really validate it beyond wider public percetptions.