2

Suppose there is a deployed, public website/web service. They say it is an instance of an open source codebase. Can they prove it to me?

For example, take the useful www.s3auth.com, an HTTP auth gateway for S3 that lets you password protect static sites hosted on S3 (thanks to @yegor256). Yegor graciously open-sourced the service to assuage privacy concerns:

I made this software open source mostly to guarantee to my users that the server doesn't store their private data anywhere, but rather acts only as a pass-through service. As a result, the software is on GitHub.

Can he somehow prove to users that www.s3auth.com actually uses the exact codebase on Github?

Community
  • 1
  • 1
lippytak
  • 31
  • 2

1 Answers1

1

Short answer

In the general case: No, without a complete and external audit of the software, hardware and network infrastructure during a specific period of time

Explanation

Ensure that a sofware is according an specification it is not at all a trivial task. Note that even the requirement actually uses the exact codebase on Github is not clear:

- Includes any part of the repository
- Includes a full tag
- Includes a full tag at a point of time
- Includes a full tag at a point of time and uses some functionality
- Includes a full tag at a point in time and uses a significant part of the functionality
- Includes a full tag at a point in time, uses a significant portion of the functionality, and there is no additional function that substantially modifies the behavior
- Includes a full tag at a point of time, uses a significant part of the functionality, and there is no additional function
- etc

An auditor should check:

  • the code to ensure that the requirement is acomplished
  • the build process to verify that the deliverable is the expected and does not include or remove parts
  • The hardware infraestructure to ensure the software is deployed, not altered an used as is
  • The network infraestructure to verify the deployed version is really the same that the users are getting

Any change on the code or infraestructure will invalidate the audit results

The auditor should be external to ensure independence and should in turn be audited by a regulatory body that certifies that it is capable of performing the process

I think I am beating around the bush. .I want to illustrate that assert that a software meets a specification it is difficult, expensive, and sometimes not useful. Of course, this process it is not needed if both parties agree on something simpler

This kind of audits exists in the real world, especially in the world of security. For example FIPS 140 or Common Criteria evaluations certifies that Hardware Security Modules or even software packages meets some security requirements. I know also some trusted certifiers that prove that a site shows a specific content at a point of time (usually applied to e-goverment)

pedrofb
  • 37,271
  • 5
  • 94
  • 142