No.
Code can have code hidden in it via build systems.
The systems themselves can have it in a hidden format.
Security is hard.
Discussion
How do you as a user protect against this?
You really can't.
An old example:
A c compiler compiles its own code.
The compiler can compile itself.
So the compiler compiled a version of itself with nefarious code.
This new version of the compiler compiles new code for the next version of the compiler. Code that doesn't have the actual hacked code in it, but does call it.
You now have clean source code that's open. But a corrupted compiler.
This kind of attack is crazy hard to uncover.
So the only real way to be fully convinced its safe, is to see the code before any compiled software is involved. Cuz any compiled software could be corrupted to inject things during compalation of otherwise clean source.
So yea, it's a big problem. And that's not even getting into all the code at the hardware level that could be doing things.
I guess you can have the same problem with interpreted languages where the interpreter can be hacked.
Exactly.
This is one reason why pushing for tight code with few libraries. Anything in the chain could be compremised.
I guess if you can verify the compiler itself, that could help, right?
True. I am also thinking about making my service small so easy to review, easy to verify.
But this seems to go to the direction that you need to be aware of the whole system, so you really can verify everything, otherwise it can be faked.
Hmmm, how about docker?
Really, it's all about risk management at this point.
some code from the 80s could be hidden from still.
What was used to compile the first version of gcc? How did that come into being?
There are so many unknowns at this point where it's an imposible task to be certain without starting from scratch.
Exploits happen, or have always existed, and we need to do the best we can with what we have available, and prepare for disaster recovery.