Security Week has published an article that I wrote called, “Establishing Correspondence Between an Application and its Source Code; How Combining Two Completely Separate Open Source Projects Can Make Us All More Secure“. I would love to see this concept come to fruition. IBM Research has had a long term vision for enabling this type of integrity which, years after I first heard about it, still astounds me how far ahead of their time they were and how durable their vision has been. The Debian Reproducible Builds project likewise amazes me because the leaders fearlessly took on a huge mountain of work and are making it happen. The glue piece is still missing. Someone will need to stand up and be willing to sign the file hashes with a recognizable and valuable key but we are inching closer to having the technology to ensure the integrity of the delivery chain between code and executable process. Yeah, yeah, yeah, there is still the problem of trusting the compiler and realistically being able to audit the source code, but solutions to the former problem have been posited and tools and techniques exist to deal with the latter (if you care enough to do it). We are inching closer.