hm that one is a hard one though... since the only way to verify source code is to hash the binary, and what is the process for how to sign the binary as it's running exactly
that's a good question... it's on my mind because i've been inspecting the CosmWasm architecture this last week and one of the things they have in there is a verification that ensures that a source code and a binary version are linked, this thing is a big issue in smart contract engineering - how to ensure that things are deterministic, and it kinda matters with source code too
there's a lot more to but how exactly can you be sure a server is running the software version it says it is, and not some altered version? you can't! at least not trivially
mleku / mleku™️
npub1fj…mleku
2024-10-10 19:54:08
in reply to nevent1q…wr2y
Author Public Key
npub1fjqqy4a93z5zsjwsfxqhc2764kvykfdyttvldkkkdera8dr78vhsmmlekuPublished at
2024-10-10 19:54:08Event JSON
{
"id": "8f53fd2ed63c12a54a0a32f4fbef73a9ee4ee27d457c0a214c1cc5e8982a8ff3",
"pubkey": "4c800257a588a82849d049817c2bdaad984b25a45ad9f6dad66e47d3b47e3b2f",
"created_at": 1728590048,
"kind": 1,
"tags": [
[
"e",
"dc36d36ecf1fb0e126010291014f82cf8096df384c545ec46fcd8e20b8e025fc",
"wss://relay.damus.io/",
"root"
],
[
"e",
"39ab9b841b5c9ea39bbaa84d439d053c9889ed1313b37bcc762adb30b638c130",
"",
"reply"
],
[
"client",
"noStrudel",
"31990:266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5:1686066542546"
]
],
"content": "hm that one is a hard one though... since the only way to verify source code is to hash the binary, and what is the process for how to sign the binary as it's running exactly\n\nthat's a good question... it's on my mind because i've been inspecting the CosmWasm architecture this last week and one of the things they have in there is a verification that ensures that a source code and a binary version are linked, this thing is a big issue in smart contract engineering - how to ensure that things are deterministic, and it kinda matters with source code too\n\nthere's a lot more to but how exactly can you be sure a server is running the software version it says it is, and not some altered version? you can't! at least not trivially",
"sig": "4169768689ecf5365956a8d76dc1878aa1918d0816d21a8959fee50ffc024ea5bd85da59328e93c7cdd468152ed56f129601cdc8f51e6c550b9aff0198dd600a"
}