How Do I Verify the Integrity of Open-Source Code

[panganib999]

I don't think it's really that important, I'd argue that if you're going to buy a wallet with codebase that could easily be edited it's much better to just buy a wallet from a provider or use your hard disk instead. Cause you're putting yourself at a bigger risk of losing your money to bad actors and hackers. Plus when it comes to "open-source" you can't really do much to verify it besides take the developer's word for it. There's no way for the consumer to confirm whether a program is an open-source until they actually work upon said program.

Don't worry about the trivial details anymore, just make sure you buy a self-custodial wallet and for the most part of your crypto journey, that's going to be enough.

[Medusah]

No it's not. The general advice is that closed source wallets are bad, but this doesn't make all open source good. If you can't review the wallet code yourself, if no one that you trust has reviewed it, then it's not too different from a closed source. Like, there's less chance that someone would put backdoors into an open source wallet, because it's possible to spot it, but this doesn't mean that no one will try such thing.

They definitely try those things: https://security.stackexchange.com/questions/23334/example-of-a-backdoor-submitted-to-an-open-source-project

It just happens to be big projects.  Fortunately, it's expert developers that work on these projects and spot them.  This linux backdoor attempt back in 2003 was difficult to spot: https://freedom-to-tinker.com/2003/11/12/linux-backdoor-attempt-thwarted/.  The attacker's added code was this:

Code:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
        retval = -EINVAL;
]

If you're a C programmer you can spot it easier than a regular programmer.

Answer:
current->uid = 0 assigns value 0 to current->uid and then returns 0 to the condition, which means the condition is always false and current->uid value is always set to 0.  You would expect current->uid == 0 instead.

Today, that would be even easier to spot with things like Visual Studio Code.

[NotATether]

I consider my self a skeptic to a degree and I know that there is always the possibility that these companies could post the open source code online but run a different code on your device.

When software is said to be open-source, it means you can verify this yourself. All you need to do is download the repository, and follow the instructions, which more or less go as following:

Step 0: Have a compiler (i.e., gcc).
Step 1: Install some libraries (the instructions will give you the precise command to enter in terminal).
Step 2: Compile. Probably with some Makefile, which is essentially an automated way to build the program.
Step 3: Verify the binaries' checksum (as you would in any case). 

This way you can verify that the binaries the company has in their main page are indeed not altered.

That only works if the project is written in C or Cpp. Most projects have an installation section with step-by-step instructions on how to build stuff written in other languages.

Also you forgot an important step - use Git to checkout the tag containing the version number. If you don't do this the checksums are going to be different at the end because more code was changed meanwhile.

[yhiaali3]

I don't think it's really that important, I'd argue that if you're going to buy a wallet with codebase that could easily be edited it's much better to just buy a wallet from a provider or use your hard disk instead. Cause you're putting yourself at a bigger risk of losing your money to bad actors and hackers. Plus when it comes to "open-source" you can't really do much to verify it besides take the developer's word for it. There's no way for the consumer to confirm whether a program is an open-source until they actually work upon said program.

Don't worry about the trivial details anymore, just make sure you buy a self-custodial wallet and for the most part of your crypto journey, that's going to be enough.

These are not trivial details, on the contrary they are extremely important, this relates directly to the security of your assets and any small mistake can cost you the loss of all your crypto assets.

Buying a self-custodial wallet is not enough. If you mean hard wallets, they also have programs, some of which are closed source and some of which are open source. As for closed source wallets like Ledger, they cannot be trusted, especially after it became clear that the company has access to the seed.

As for wallets that use open source software such as Trezor, we return to the same problem, which is how to make sure that we are downloading the correct software and not the wrong one, because if you download the wrong software, you will lose all your assets.