Compiling your own packages only ensures that, well, you’re running packages that you compiled. This definitely does not mean that your computer is running what you intend at all.
Half the time I don’t know what my CPU is executing, and that’s code that I wrote myself.
I like to imagine that the early heroes who programmed in punch cards and basically raw machine code knew exactly what the CPU was the computer was running, but who knows…
Most of the reason to build your own packages is a form of runtime assurance - to know what your computer is running is 100% what you intend.
At least as a guix user that’s what I tell myself.
Compiling your own packages only ensures that, well, you’re running packages that you compiled. This definitely does not mean that your computer is running what you intend at all.
Half the time I don’t know what my CPU is executing, and that’s code that I wrote myself.
This is true of all programming
I like to imagine that the early heroes who programmed in punch cards and basically raw machine code knew exactly what the CPU was the computer was running, but who knows…
Do you audit all the code before compiling? Otherwise you’re just transferring your trust elsewhere.
This is my experience playing with FreeBSD.
“These ports are cool, I can compile all the software from source so I know exactly what I’m getting!”
[This software has 100 dependencies]
“Well I’m not reading all that, I’ll just click Yes for all”