 I just realized a problem that everyone probably already talked about in the past. We praise #FOSS for its openness and security, but how can we be sure that the service that a company offers is the same code as what is stored in the source control? Is there a good way to audit online services? Like, how can I be sure that the code of, say, mastodon.example was not tampered with? And are there any good articles and/or books on the topic? 6 comments
  @kytta Necessary, but not sufficient, is that the website must have a clear link "here is where you can get the source code running this site". This is what the #AfferoGeneralPublicLicense (#AGPL) requires: When the licensed work is presented for users to interact with, there must be a link right there on the page for them to get the entire corresponding source code. That doesn't address whether it *is* the corresponding source code the site actually runs. But it's a necessary first step. @kytta You're very right that this is a subject. A good place to begin is to look in the history of the AGPL. |
Gregory's Server
@kytta This is not a new problem. Here's Ken Thompson classic paper on trust from 1984(!)
https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf