[lbenes]

There are nearly 10 million lines of code in libreoffice, and yet I can and have built it from source just by typing:

1. $ git clone git://anongit.freedesktop.org/libreoffice/core

2. $ apt-get build-dep libreoffice

3. $ ./autogen.sh && make

Just because something has a large code base doesn't mean we shouldn't be able to build it from source ourselves.

[lostcolony]

Did you read all those lines yourself? Did you even confirm checksums matched before running them?

I think that's the parent's point. You can build from source, but how do you trust the source? Is it any more egregious to trust a prebuilt binary from a specific website than it is the raw source? If you can't trust the binary being hosted by the author/caretaker, can you really trust the source being hosted or maintained by the author/caretaker?

[pjz]

I don't think his point is so much about the source as it is about updating N containers. For instance, say there's a known libssl bug. Can you tell how many of your containers are running that version of libssl? And how do they get updated?

[WiseWeasel]

1) List the number of containers running pre-fix versions of images of libssl-using server software. 2) Bump the version of the images you're using as a base for your server images to post-libssl-fix and push.

[aurailious]

I think the point isn't that we can build from source, but why. If its a huge codebase you can't independently audit that source code. So ultimately if you compile it or the organization making it doesn't matter for purposes of trusting that code not to be malicious.