[segfaultbuserr]

Reproducible build [0] is the modern solution to this problem, it generates the same binary output on everyone's computer by carefully controlling the compiler version and input data to the build system, thus allowing users to independently verify that an official binary is a faithful build from its source code. Although it's not a silver bullet (compiler bootstrapping is still vulnerable), but still greatly increases the level of confidence. Signal adopted reproducible build since 2016 [1].

[0] https://reproducible-builds.org/

[1] https://signal.org/blog/reproducible-android/

[effie]

Did you read this part?

> You can never 100% know for sure if that code doesn't have a security backdoor

How does compilation methodology help with analyzing millions of lines of code?

[segfaultbuserr]

Did you read this part?

> This is why the UNIX philosophy of distributing only source code and building locally for apps is important. You can never 100% know [...], but at least you have the opportunity to self audit.

My comment was a reply to "distributing only source code and building locally for apps is important", and I pointed that reproducible builds enabled an alternative method to achieve the same without requiring everyone to rebuild from scratch (which is arguably worse from the perspective of uncertainty). And that's all. I didn't have anything to say on the audit question.

But if you want to nitpick, yes, this reply is incomplete, and to defend my comment properly, I should've quoted the first (and only the first sentence) from the comment which I was replying to clarify my point. On the other hand, I think it would be painful to do a full-time proofreading of every single comment I'm going to make.

[effie]

Now this makes sense. The original comment did not. Thanks.

[dredmorbius]

https://wiki.debian.org/ReproducibleBuilds