How do you know that the .exe or .apk file for an open source software on github is actually compiled from the viewable source code?

• Visual Studio Code

  2,840 158,095 10.0 TypeScript

  Visual Studio Code

  

The version of Visual Studio Code published by Microsoft, for example, uses a non-open source license because their build process adds proprietary components (e.g., telemetry). (VSCodium was created to generate FOSS releases from Microsoft's core repository)

• rfcs

  35 716 5.6 JavaScript

  Public change requests/proposals & ideation (by npm)

  

This just got accepted as a proposal in NPM: https://github.com/npm/rfcs/pull/626

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• witness

  7 358 9.0 Go

  Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

  

Verifying provenance across CI steps is what the in-toto project was designed to help with. We implement in-toto with our open-source projects, Witness and Archivist.

• archivista

  1 53 9.2 Go

  Archivista is a graph and storage service for in-toto attestations. Archivista enables the discovery and retrieval of attestations for software artifacts.

  

Verifying provenance across CI steps is what the in-toto project was designed to help with. We implement in-toto with our open-source projects, Witness and Archivist.

Suggest a related project