Why doesn't GitHub ensure binaries are compiled from the source as is?

Question

In this way, you would feel safer downloading binaries without worrying about security issues.

necovek · Accepted Answer

How would GitHub ensure that when it does not have a clear idea of "building" an arbitrary project?
You get those with publishing platforms which have semantic "build" steps (eg. F-droid, Debian, RedHat, and certainly newer things like Nix).
As a public service, Launchpad.net has been doing this almost since inception, but especially since PPAs were created.
But this is easily beaten: witness all the binary blobs inside automatically built packages. As long as maintainer controls the build recipe, and that recipe supports usual build functions (like "add this file to package"), they can simply insert a binary blob without any source code for it.

dave4420 · Answer

They&rsquo;d have to standardise the build system, wouldn&rsquo;t they? And disallow building binaries for publication on anyone else&rsquo;s infrastructure?

JSDevOps · Answer

Still there&rsquo;s supply chain attacks. How could you verify every dependency in a particular project perhaps?

talldayo · Answer

Most pipelines already hash/sign the binary

Why doesn't GitHub ensure binaries are compiled from the source as is?

In this way, you would feel safer downloading binaries without worrying about security issues.

They’d have to standardise the build system, wouldn’t they? And disallow building binaries for publication on anyone else’s infrastructure?

Still there’s supply chain attacks. How could you verify every dependency in a particular project perhaps?

Most pipelines already hash/sign the binary