Post AVeqJ2FwjIvZrRZ8JE by dbread@qoto.org
(DIR) More posts by dbread@qoto.org
(DIR) Post #AVePZMR0mE4uJYIkfg by kytta@fosstodon.org
2023-05-14T12:49:00Z
1 likes, 1 repeats
I just realized a problem that everyone probably already talked about in the past.We praise #FOSS for its openness and security, but how can we be sure that the service that a company offers is the same code as what is stored in the source control? Is there a good way to audit online services? Like, how can I be sure that the code of, say, mastodon.example was not tampered with? And are there any good articles and/or books on the topic?
(DIR) Post #AVePZNyN3gMB5IuuJ6 by iron_bug@friendica.ironbug.org
2023-05-14T16:12:15Z
0 likes, 0 repeats
it's simple: if the code is GPL and it is changed in some way they should publish the changes. this is the requirement of GPL. but the only really right way of open source is to keep your own server.
(DIR) Post #AVeZw2Tu80BidG6hBw by PublicLewdness@freespeechextremist.com
2023-05-14T18:09:01.811051Z
1 likes, 0 repeats
@kytta I believe reproducible builds are what you seek. Not every project employs this though.https://reproducible-builds.org/
(DIR) Post #AVeZxbMTvgt16KNdaa by jeff@federated.fun
2023-05-14T18:09:09.540756Z
1 likes, 0 repeats
@kytta here's an idea: make code review but with blockchain :DDD
(DIR) Post #AVeh4EiNEBryZLjN2W by kytta@fosstodon.org
2023-05-14T19:12:46Z
0 likes, 0 repeats
@iron_bug it's true, but if someone violates it, how would we know?
(DIR) Post #AVeh4FL0uWmIVBoEGe by iron_bug@friendica.ironbug.org
2023-05-14T19:28:25Z
0 likes, 0 repeats
I think this is juridical question, and I'm not a lawer. for myself I have a very simple rule: I use only my own resources.
(DIR) Post #AVekTeMHK2jvCgCoRk by iron_bug@friendica.ironbug.org
2023-05-14T20:06:49Z
0 likes, 0 repeats
really, the laws are more complicatred and changfed GPL code should be supplied on demand if a user uses the software that runs on this code. but whether users of web services are "users of software" - this is a question. it was a big turmoil when MongoDB prohibited using of their free code in commercial cloud servers. but this is Mongo license, not GPL.
(DIR) Post #AVepre4uVzB73VLLMm by ianthetechie@fosstodon.org
2023-05-14T13:35:26Z
1 likes, 0 repeats
@kytta interesting question. Curious if anyone else has any ideas on that. I think it would be quite difficult or impossible. You can always run middle layers so I’m not sure if even “proof” that they ran open source software X would be meaningful. The main benefit of FOSS is source availability and freedom to do what you want with it IMO. Being able to verify that SERVICE does what they say feels different. Though I don’t know exactly what to call it. Just my random musings.
(DIR) Post #AVepreyv9jytrDY4fY by nilesh@fosstodon.org
2023-05-14T14:19:12Z
1 likes, 0 repeats
@ianthetechie @kytta I believe this falls under "verifiable computing". Blockchain has some solutions for this (for eg: the code for a smart contract is executed on every node with fully deterministic results) but of course, it's not feasible economically for most of the real-world applications.Of course, at extreme, you can't even trust that a program on your own machine does what its source says it does. A classic paper is "Trusting Trust" by Ken Thompson: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
(DIR) Post #AVeprfq5y2W2W8QXYG by iron_bug@friendica.ironbug.org
2023-05-14T21:07:07Z
0 likes, 0 repeats
you can simply read the code. and no blockshit is needed for this.
(DIR) Post #AVeqJ2FwjIvZrRZ8JE by dbread@qoto.org
2023-05-14T21:01:25Z
1 likes, 0 repeats
@nilesh a good insight about the creation of a compiler and self recreating programs, but the last chapter on hacker ethics is a bit outdated. Ok that's legit, the paper is from 1984 :D