Question for the devs in here...something I've been thinking about a lot recently. So I see that OP linked out to a public github repo...but when downloading the actual bundle, what's a quick way for me to determine that what I'm installing on my mac is actually the same as what's in the public repo? It's always seemed like a loophole to me ready for (potential) exploitation.
>> Ship project. >> Link out Github repo on the static site somewhere >> Gain trust instantly as users presume the public repo is what's used behind the scenes
Disclaimer: I'm a web dev and don't know a single thing about native MacOS software
replies(3):