> There's basically no way to do this without trusting the redistributor in addition to the original publisher, but some things can reduce the amount of trust. Having a verifiable build process, that checks signing keys and hashes, that re-signs, etc, that all helps. If end-users can theoretically produce exactly the same build themselves it's easier to trust it.
Really what much else could you ask for?
It only takes 1 trusted friend to verify the codebase, and from there it can spread. Luckily there are a lot of talented people on the Internet whom several people can vouch for, easy to find. It's pretty much a non-problem in the age of the Internet.
The same natural logic applies to anything else really... like cars - "yo what car do you trust?"
It's just the nature of living. If you don't have the skills, you need to find someone who does to trust. And no just because it comes from a company doesn't mean you can trust it, that's a fallacy. "Safety" doesn't necessary equate to "profits" which is what a business needs to live. It's an organism.
I'm certainly not equating safety to profits, but I think that a company such as Microsoft with decades of experience distributing cryptographically verified software to a range of demanding consumers (e.g. governments) and being big enough to be able to have teams running things like their certificate authority infrastructure, is much more likely to produce secure binary distributions than some GitHub Actions and shell scripts.
I don't think your car analogy quite fits, as there are ongoing updates, and it's not like the end-user perception of regular VSCode, or backdoored VSCode, are going to be any different until someone spots the backdoor (and we can't rely on that).
Meanwhile in the real world, Microsoft is actively screwing up, losing control of their signing keys, failing to implementing even basics of Azure authentication, destroying Azure customer VM security, and so on.
Really what much else could you ask for?
It only takes 1 trusted friend to verify the codebase, and from there it can spread. Luckily there are a lot of talented people on the Internet whom several people can vouch for, easy to find. It's pretty much a non-problem in the age of the Internet.
The same natural logic applies to anything else really... like cars - "yo what car do you trust?"
It's just the nature of living. If you don't have the skills, you need to find someone who does to trust. And no just because it comes from a company doesn't mean you can trust it, that's a fallacy. "Safety" doesn't necessary equate to "profits" which is what a business needs to live. It's an organism.