There are SaaSes with open sourced code, claiming the benefits coming from this: the code can be reviewed by anyone (to check for backdoors/security issues). However, it looks to me it's impossible to prove that the actual SaaS is running specific source code checkout. The open sourced code is just a static dump and the service is a dynamic "black box". Do you know any approach to resolve this?
Based on my experience with SaaS, those that do offer Open Source software, are only open sourcing the core of their product. There is typically a whole suite of tools and add ons that expand their core offering into something that makes it more beneficial for companies to just go with the SaaS offering. Deployment and monitoring are two pieces that come to mind.
One possibility would be to have a third-party service that would handle the instantiation of a service from some declarative description. Say, you specify a docker container and the service would run it and would tell the given server is running as the specific docker container. (so it would depend on the authority of the service).<p>However, you wouldn't have a possibility to "log in" to a container or interfere with it in any deep way, because it would break the concept.<p>I think that the "serverless" concept already treats the running service as an immutable thing so probably adding the proof of running from a specific checkout would be easier there.
GNU has a page about the problems of SaaSS ("Service as a Software Substitute") going into the problems you mention.<p><a href="https://www.gnu.org/philosophy/who-does-that-server-really-serve.en.html" rel="nofollow">https://www.gnu.org/philosophy/who-does-that-server-really-s...</a>
While I agree with another commenter that in all likelihood it isn't running the same software but rather the core is opened sourced and they have proprietary value added tools.<p>For example, many OSS SaaS products I've seen have an open source version that only supports running a single user or single company but their deployed SaaS version is multi tenant.<p>So if you're really concerned about SaaS products slipping in back doors or something like that that defeats the "publicly audit-able" condition (if I'm reading your concern right) you can't do anything about it except run the OSS code yourself and not use the SaaS.
There was a similar discussion on HN. And somebody posted a link to the "CloudProxy Tao for Trustworthy Computing" [1]. I have no idea how it works though.<p>[1]: <a href="https://github.com/jlmucb/cloudproxy" rel="nofollow">https://github.com/jlmucb/cloudproxy</a>