
Ask HN: Proof that SaaS is running specific source code checkout? - twa927
There are SaaSes with open sourced code, claiming the benefits coming from this: the code can be reviewed by anyone (to check for backdoors&#x2F;security issues). However, it looks to me it&#x27;s impossible to prove that the actual SaaS is running specific source code checkout. The open sourced code is just a static dump and the service is a dynamic &quot;black box&quot;. Do you know any approach to resolve this?
======
joshdev
Based on my experience with SaaS, those that do offer Open Source software,
are only open sourcing the core of their product. There is typically a whole
suite of tools and add ons that expand their core offering into something that
makes it more beneficial for companies to just go with the SaaS offering.
Deployment and monitoring are two pieces that come to mind.

------
twa927
One possibility would be to have a third-party service that would handle the
instantiation of a service from some declarative description. Say, you specify
a docker container and the service would run it and would tell the given
server is running as the specific docker container. (so it would depend on the
authority of the service).

However, you wouldn't have a possibility to "log in" to a container or
interfere with it in any deep way, because it would break the concept.

I think that the "serverless" concept already treats the running service as an
immutable thing so probably adding the proof of running from a specific
checkout would be easier there.

------
mbrock
GNU has a page about the problems of SaaSS ("Service as a Software
Substitute") going into the problems you mention.

[https://www.gnu.org/philosophy/who-does-that-server-
really-s...](https://www.gnu.org/philosophy/who-does-that-server-really-
serve.en.html)

------
throwaway2016a
While I agree with another commenter that in all likelihood it isn't running
the same software but rather the core is opened sourced and they have
proprietary value added tools.

For example, many OSS SaaS products I've seen have an open source version that
only supports running a single user or single company but their deployed SaaS
version is multi tenant.

So if you're really concerned about SaaS products slipping in back doors or
something like that that defeats the "publicly audit-able" condition (if I'm
reading your concern right) you can't do anything about it except run the OSS
code yourself and not use the SaaS.

------
alkchr
There was a similar discussion on HN. And somebody posted a link to the
"CloudProxy Tao for Trustworthy Computing" [1]. I have no idea how it works
though.

[1]:
[https://github.com/jlmucb/cloudproxy](https://github.com/jlmucb/cloudproxy)

------
notduncansmith
It'd be expensive to run a full SaaS, but technically you could do it on
Ethereum, and the execution would be verified by the blockchain.

------
hakanderyal
Since the hardware is under control of the provider, there isn't any practical
way to _really_ ensure anything.

