Hi HN, there's been a few posts about auditing OSS security/encryption apps.<p>I'm wondering though - how do we verify that the code we see on Github is the same code running live on a webserver?<p>Sure, you could ask for a "hash" but the webserver could fake it.<p>How do you prove what code is running on a remote machine?<p>I'm sure there's a proper name for this kind of problem..
You can't. Or so I think...<p><a href="http://www.gnu.org/licenses/agpl-3.0.html" rel="nofollow">http://www.gnu.org/licenses/agpl-3.0.html</a>