Can a service provider proof it is running a particular open source product? [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 1 year ago.

Improve this question

Part of our project includes an open source GO server that we have open sourced for transparency. How can we prove that we havent made any alterations to the code before we deployed it?

Answer 1

No that is impossible. Even if you included a service method that has some challenge/response mechanism, the service provider could run a proxy and pass on the request. And any mechanism could be reproduced easily because it is all open.

Even knowing they are running the same sever would not guarantee it would behave as expected. Results could be input dependent and the input could be local/configurable, impossible for you to verify.

I understand, transparency is all the rage now and you basically want to proof you are not Facebook, right? I would dedicate a page on my website to this and provide the warm feeling from there. You will need a good text writer though.

Answer 2

The only way I know you could solve is by find a trusted third party, hand your code over to them and let them compile and run it (maybe on a neutral cloud platform). If you want to provide / host the server on your own, you will probably have to let the trusted third party audit your internal processes.