Viewing a single comment thread. View all comments

celebratedrecluse OP wrote

I'm a little horrified that this seems to be more difficult than i thought, lmao

5

masque wrote

There's a reason why hardcore activists are suspicious of any sort of software-as-a-service platform, regardless of whether the code is FOSS. Ultimately, anything that reasonably can be done locally probably should be.

7

yam wrote

It depends on how subtle this "secret code" is though, and what your suspicions are.

If they're running a fork of a web app, you could loop over the endpoints, comparing the output from a local server with the external server:

server1=foo
server2=localhost
for endpoint in bar baz qux
  do diff <(curl $server1/$endpoint) <(curl $server2/$endpoint)
done

Of course, if your scenario is about very subtle code changes that don't affect output in any way then of course it's difficult, and comes down to trust.

What is your threat model? Is it that the program in question is not really free because they're not sharing the latest code? Is it that they could be serving malicious JavaScript to useres? Is it that they could read your password?

Ultimately you can never even trust that even a compiler runs the code given to it, even if you compiled the compiler yourself, because there could be a malicious compiler compiler.

5