Listen to this episode:
In this episode of “The Van Wirdum Sjorsnado,” hosts Aaron van Wirdum and Sjors Provoost discussed why it is important that Bitcoin software is open source and why even open source software does not necessarily solve all software-specific trust issues.
In theory, the fact that most Bitcoin nodes, wallets and applications are open source should ensure that developers cannot include malicious code in the programs: anyone can inspect the source code for malware. In practice, however, the number of people with sufficient expertise to do this is limited, while the reliance of some Bitcoin projects on external code libraries (“dependencies”) makes it even more difficult.
In addition, even if the open source code is correct, it does not guarantee that the binaries (computer code) actually match the open source code. Van Wirdum and Provoost explain how this risk is largely mitigated in Bitcoin through a process called Gitian building, where different Bitcoin Core developers sign the binaries if, and only if, they have all produced the exact same binaries from the same source code. This requires special compiler software.
Finally, the hosts discuss Guix, a relatively new project that goes beyond the Gitian process to minimize the level of trust required to convert source code into binaries – including trusting the compiler itself.