Do some products use different code than they open-source?

Question

It struck me that just because some code is open-sourced for a product, I wasn&rsquo;t sure if there was a way to know that this was actually the code that was in production. For example, an app might claim to be secure or private and attempts to prove it by being open-sourced, but what was actually being deployed contained some bit of invasive code. Does this happen, and are people worried about it? If it does happen, is there a way to recognize/prevent this?

swiftcoder · Accepted Answer

> is there a way to recognize/prevent this?
If you have a build system capable of deterministically reproducible builds (at the level of individual bits), then the vendor can publish the commit ids for every binary, and users can build their own version from that commit and verify the signatures matched.
In practice, very few build systems offer this level of reproducibility. I've only ever seen this supported by the in-house build system at Amazon.