

Ask HN: Prove a web site is using its open source repository - jodoglevy

Hi all. I&#x27;m working on an idea and it requires trust. So I have a public git repo where my source code goes, and my web site deployments pick up the source from there. However, I am worried people will just think &quot;ok, this source looks safe, but how do I know your service is using this source and not a slightly modified malicious version?&quot;<p>I know with client software they can use a checksum to check this, but is there some way to do this for a web site?
======
grivkees
I think the only way you could do this is if a user trusted the PaaS
underneath the software, and the PaaS offered a way for a user to verify the
hash of whats running on their system.

The only other way you could find a hash of the code running on the server is
if you asked the service, but in that case the service could always just lie.
Even if you did some sort of challenge response that could only be answered
with having the public source code and hashing it with a nonce, you could just
provide the public source to your malicious binary, and it would respond as it
wished.

------
aprescott
I think any setup which requires the website to respond to requests intended
to verify its own authenticity will probably not work. Any verification
requests could be passed upstream to a separate running application in order
to calculate a valid response. This response would then be passed back to the
client. All other requests and code paths would still potentially go through a
modified or malicious variant.

