Introducing Verifiable Open Source

What is Verifiable Open Source and How Does It Work?

Open source software has been around for decades, but it has always been more effective for downloadable software. As a web developer, you can upload your code to a public Github repository as well, but thus far, there has never been a way to prove what code you are utilizing on your servers.

With advances in DevOps technology, it is possible to leverage open source for a new use case; you can now prove what code you are running on your website. This is a timely advancement; it can be used to ease new customer concerns created by GDPR and high profile privacy abuses. It can also help reduce customer fears when the validity of an application’s claims create a conflict of interest within the firm (e.g. VPN providers can now prove that they don’t keep logs, and gambling sites can prove that their games’ odds are fair.)

You can now prove what code you are running on your website.

To date, we’ve made 2 forms of verifiable open source available on SourceReports.com. The first requires the website developer to use AWS CodePipeline (a CI/CD service), and provide specific permissions to Source Reports. The Source Reports system will then check the settings of their CodePipeline and return the Github repository which the CodePipeline is using as its source. There are certain limitations; the virtual machine cannot be accessed by SSH, and only certain server operating systems are supported.

Every 2 minutes or so, the pipeline settings are checked against the live DNS. If the function returns that the check was successful, then this is reflected in the Source Reports web interface; a “Last confirmed” field is updated with the time and date of the last successful check. A discerning user can also perform a “Live check”, triggering a new confirmation that the Github repository is in use while he or she waits.

Example here: https://www.sourcereports.com/dashboard/source.html?url=bsvnews.io

The second form is compatible with Amazon’s Lambda functions. With the correct permissions enabled, our service will check an API Gateway endpoint and return the code utilized by the Lambda function that is executed by that endpoint. Users can ascertain all of the required variables that they will need to verify the code by utilizing their “Inspect Element” browser tool while using the website they wish to validate.

Example here: https://www.sourcereports.com/dashboard/apicheck.html

In both cases, we provide an AWS CloudFormation template which deploys a lambda function that any user can deploy to test the validity of our claims.

The Source Reports verifiable open source system marks the first opportunity for web developers to prove their web application’s code to their customers. All of our essential code is open source, so please check it out here if you are interested. Also, please check out SourceReports.com or send me an email if you might be interested in implementing this on your application; we are in a public alpha stage and are looking for interested participants and collaborators.

Andrew Kondelin- Developer of Source Reports

Originally published at https://www.sourcereports.com.