Back to source: trust but verify all the packages
Analysis pipeline for mapping and cross-referencing binaries with source code
Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repo. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues.
Back to source creates analysis pipelines to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and plan to apply this "trust but verify" approach to all the binaries!
- The project's own website: https://aboutcode.org
Run by AboutCode
This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.
