Is There a Way to Prove My Deployed Code Matches My Repository Code?

0
15
Asked By CuriousCodeWizard93 On

I'm curious about the level of certainty we can achieve regarding the code deployed on a server compared to the open-source code available in a repository. Specifically, if I run a web application and openly share the source code, is there any reliable way to guarantee that the code running on the server is exactly what was reviewed? I understand checksum verification might work in some cases, but I'm looking for stronger assurances, especially considering there could be closed-source components interacting with the data. It feels like this is a thought experiment worth discussing rather than a real-world production concern.

4 Answers

Answered By SecuritySally77 On

As long as your files aren't writable, you could technically fake everything in the deployment. An independent audit could build some trust, but even auditors can be misled if you're malicious.

Answered By BuilderBobby88 On

That's what reproducible builds aim to address! But keep in mind, even with reproducible builds, they don’t guarantee that what’s deployed is the same as what was built. The deployment process can still introduce discrepancies.

Answered By TechieTina42 On

There's a classic paper by Ken Thompson called 'Reflections on Trusting Trust' where he discusses how a compiler can be modified to inject hidden code. So, even if you have the source, you can't be 100% sure it’s what's actually running. It's a great read and relevant for anyone in tech, although it might not directly answer your question.

Answered By SkepticSam99 On

Honestly, probably not. Unless someone can physically inspect your data center and its connections, proving the code is trustworthy is a tall order. Even if the client asks for checksums of the source, the service could just provide a manipulated version. If you can't see the machine, it really comes down to trust.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.