[bothuman]

>- The version there works and does not seem to have a trojan, so probably not a regular hacker.

Incorrect, all the guy did was compare diffs of the source. He did not compile the source to make sure the binaries matched.

[BoppreH]

Are you sure? He does say "binaries when run make no unexpected...".

And matching binaries is not a trivial task because of OS, compiler and SDK versions. The last time someone did this for Truecrypt it made the news: https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binarie...

[wielebny]

Binaries could have code that will activate in future.

[smellf]

If you have a copy of the source that you've vetted, and you can compile it in such a way that the resulting binary is a bit-for-bit match of the developer released binary, then you know that either there is no future-activation code or you missed it in your review or your compiler was itself compiled maliciously with the intent of inserting malicious code into that exact version of truecrypt every time it was compiled. Or there is no future activation code.

[nobotty]

which is a fucking pain in the ass as stated such that it is a newsworthy feat?