DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 963,673 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Arjen Postma
Arjen Postma

Posted on • Updated on

Can you prove the code in the repository isn't altered?

When developing open source software how could someone prove to the user that the code running is actually the same as the code in the repository?

What if I were to develop an open source website that handles sensitive data, in theory a user could check the source code to see if nothing weird happens with their data, like sending user info to a third party service. But how can you prove that the code in the repository isn't being edited somewhere else before deployed to the server?

Or maybe a more immediate example; how can Ben prove that this website is actually using the code in

GitHub logo forem / forem

For empowering community 🌱


Forem 🌱

For Empowering Community

Build Status GitHub commit activity GitHub issues ready for dev GitPod badge

Welcome to the Forem codebase, the platform that powers dev.to. We are so excited to have you. With your help, we can build out Forem’s usability, scalability, and stability to better serve our communities.

What is Forem?

Forem is open source software for building communities. Communities for your peers, customers, fanbases, families, friends, and any other time and space where people need to come together to be part of a collective See our announcement post for a high-level overview of what Forem is.

dev.to (or just DEV) is hosted by Forem. It is a community of software developers who write articles, take part in discussions, and build their professional profiles. We value supportive and constructive dialogue in the pursuit of great code and career growth for all members. The ecosystem spans from beginner to advanced developers, and all are welcome to find their place…

Maybe I am looking over something really obvious. I am aware that when it comes to downloading files you can use checksums to confirm it's the same, but can you apply the same technique to a website? You could put the checksum generated from the repository at the bottom of the website. But that doesn't really prove anything.

Have you ever thought about this? Got experience with this? Let's hear it.

Top comments (3)

Collapse
 
rendlerdenis profile image
Denis Rendler

if you use GIT, you could try commit signing, or hash the tarball you release and make that public. those are among the most used methods I've seen so far.

Collapse
 
arjenpostma profile image
Arjen Postma Author

Commit signing would only tell the world the code actually comes from me. And the tarball is just a downloadable from Github right? The actual code could still be modified before it actually arrives on the server.

Collapse
 
rendlerdenis profile image
Denis Rendler

You are correct. But I don't think there is a sure way of telling the users that what you are using is the exact copy of the code from a repo. Maybe package the app as a docker image and add the image ID on the page? Or, if you are using PHP, package it as a PHAR archive and add its checksum on the page. I'm not sure of the equivalent in other languages.

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.