bitcoins open sourceness

[yeponlyone]

Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.

[1715010145]

1715010145

[1715010145]

1715010145

[1715010145]

1715010145

[1715010145]

1715010145

[1715010145]

1715010145

[Enochian]

Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.

The developers build the distribution you download, which comes with source.  It is highly unlikely they would distribute binaries with extra stuff in them which don't match the source they provide.

You are welcome to build the programs, as well as the libraries they use, completely from source, and run those.  Aside from things like date strings, they should verify against the provided binaries.

You are probably orders of magnitude more likely at risk from bugs than you are from a developer conspiracy.

Not to mention the 100 million lines of Windows source you don't have, that is also running on your machine.

[Vasili Sviridov]

Simple answer would be to build it yourself if you want to.
But then you're still not guaranteed that the compiler you use is not generating something not in original code for you.

It's a pretty old issue, actually.

You can take it even further, say, if you bootstrap your own compiler and compile the source yourself, how can you be absolutely certain that there are no programmatic trapdoors left in your CPU microcode?

[bitlotto]

I've heard plans that one day there will be a generic build environment people can use to verify it. Then anyone can check the one already compiled against the one they just built to ensure it's ok. Not sure how far off that is though.

[Gavin Andresen]

I make the Amazon virtual machine images that I used to build the Windows and Linux binaries available... but Amazon recently took them down because they contain my ssh public key in the "allowed to login without a password" file. Removing the public key and then making the modified virtual machines public again is on my TODO list (Amazon doesn't want anybody to have a 'back door' into a public machine image, and bravo to them for checking-- I had no intention of logging into other's bitcoin-build-environment virtual machines, I just needed an easy way to login while I was putting together the releases).

If you have an EC2 account, you can run them and recreate the exact build environment and check to make sure you get exactly the same executable code  (the compilers may put timestamps inside the files which you'd have to ignore).

The plan for future releases is to use devrandom's 'gitian' build system, which is a spiffy way of creating a well-defined virtual machine image from signed and trusted repositories, fetching a specific version of the code from the git source tree, and compiling in a way that is completely reproducible.
 See: https://github.com/devrandom/gitian-builder

[ArsenShnurkov]

I'm sure there is an simple answer, I just have not found it yet.

You can use gentoo operating system, like I do.
Everything here comes either from my own build server or compiled directly from source.

[Nesetalis]

most operating systems can use CMake.. utilize it....

[Rage]

Is it possible to view the code of the actual bitcoin.exe program available for download rather than trust that the open source code provided online is indeed the same as the download? if not, it seems that the one downloaded could potentially be a sort of a look-a-like program that actually holds a malicious timebomb of sorts. I'm sure there is an simple answer, I just have not found it yet.

Don't trust the binaries then. Compile the source yourself. That's the beauty of open source: you have no reason to trust a software developer but many ways  to check the source code :-)

Rage

[Matt Corallo]

Well, could anyone create a tree with all the libraries pre-installed and setup so compiling would be EASY, for Christ sake?

If you are on Windows, well you are in luck, see http://bitcointalk.org/index.php?topic=4750.0 and http://bitcointalk.org/index.php?topic=5851.msg86700#msg86700.
If you are on Linux, the instructions really are quite easy, ask if you have questions.
If you are on Mac...well you are pretty much SOL, I might get around to writing some more build instructions for Mac, but I don't have the time atm...