Ask HN: Proof that SaaS is running specific source code checkout?
There are SaaSes with open sourced code, claiming the benefits coming from this: the code can be reviewed by anyone (to check for backdoors/security issues). However, it looks to me it's impossible to prove that the actual SaaS is running specific source code checkout. The open sourced code is just a static dump and the service is a dynamic "black box". Do you know any approach to resolve this?
7 comments
[ 0.19 ms ] story [ 34.9 ms ] threadHowever, you wouldn't have a possibility to "log in" to a container or interfere with it in any deep way, because it would break the concept.
I think that the "serverless" concept already treats the running service as an immutable thing so probably adding the proof of running from a specific checkout would be easier there.
https://www.gnu.org/philosophy/who-does-that-server-really-s...
For example, many OSS SaaS products I've seen have an open source version that only supports running a single user or single company but their deployed SaaS version is multi tenant.
So if you're really concerned about SaaS products slipping in back doors or something like that that defeats the "publicly audit-able" condition (if I'm reading your concern right) you can't do anything about it except run the OSS code yourself and not use the SaaS.
[1]: https://github.com/jlmucb/cloudproxy