Can I trust this binary? After downloading an executable file of pre-compiled code a sensible question to ask yourself before running it is, do I trust this code? Correction, even before downloading the executable you should probably already have asked yourself that question.
Trust, but Verify
How do we know if we can trust software? Let’s start by to categorizing the software into a couple of categories (closed source and open source software) to make it easier. The difference between these two is whether the source code is freely available (open) or not available (closed).
Closed Source
If it is closed source there is a lot of trust involved since it is a lot harder to verify that the software does what we’re told it should do and only does that. For this kind of software the reputation of the entity providing it becomes more important. Some things to consider are if they have a history of a lot of bugs, if they are well-known and trusted and if they are a business what is their business model?
Buggy software is not great but if the bugs are all resolved quickly that could be something which increase our trust in that software. It might also indicate that the software has a lot of technical debt and more bugs are going to be found (this is true for any software). Another factor is the severity of the bugs, are they just minor inconveniences or are they serious, for closed source software this can of course be harder to find out, if even possible.
Reputation might be easier to find information about, for example, is the software the de-facto software to use for that purpose? In that case it is to a certain extent trusted by many people and arguable somewhat capable of coding software which does something well.
If it is a business, how do they make a profit? If you’re not paying with money, you’re paying with something else most likely holds very true in this case. There is of course software which provides limited functionality and hoping for an up-sell to the paid version of the software. But if the whole software or service is free, how do they make money?
It is not so easy to verify that closed source software only does what it is suppose to do. However some approaches is to monitor the program when it is being run, you could take a memory dump, you could try to see run it with a debugger or monitor the network traffic for any packages it is sending and/or receiving. There are most certainly more methods than the ones I have mentioned here and I hope to explore more of them in the future.
Open source
When it comes to open source the source code to be scrutinized and anyone can try to make a contribution or in theory verify that it works as expected. This should make it a lot easier to verify that the software does what it is suppose to do. Given that you have the expertise it certainly is easier to validate the code but in practice how much of the software is checked? How much of it is maintained? Are you going to read hundreds or thousands of lines of code to verify the functionality? In other words, if the code is there to verify but nobody verifies it, is it really verified?
There certainly is quite a bit of trust involved for open source too since it is not feasible to check every software yourself. However, if you find a bug or suspect that the software has some side effects the source code is there for you to verify it. You could even fix it, submit a bug report and a suggested fix for it. This of course is not possible if the project is abandoned but in those cases it might be that it has been forked and is maintained by someone else or you could fork and maintain it yourself.
In Closing
Regardless of the software being open or closed source there is a certain amount of trust involved. Depending on how much you trust the software you might want to treat it in different ways. If you don’t trust the software a good option is to run it in a virtual machine where you can keep it isolated. Some other good practices is to verify the SHA-1 signature of the file to ensure the downloaded file is the same as the one provided.
These are some of the aspects I think are worth considering and there is assuredly aspects which I’ve missed. If I’ve made any obvious blunders or missed out on some important aspect let me know.