zlacker

[parent] [thread] 3 comments
1. mikece+(OP)[view] [source] 2021-04-07 15:13:22
Seems there should be an API endpoint, similar to a health check endpoint, that allows one to validate that the code on the server matches what's in GitHub. How exactly that would work is beyond me since I'm not a cryptographer but seems like an easy way to let developers/auditors/the curious check to see that the code on the server and GitHub match.
replies(3): >>monoca+s >>beacon+M >>jhugo+W
2. monoca+s[view] [source] 2021-04-07 15:15:11
>>mikece+(OP) 

   validate_endpoint() {
     return hash_against_other_file_not_exe();
   }
3. beacon+M[view] [source] 2021-04-07 15:16:46
>>mikece+(OP)
if you assume that the server can lie to you, then it's physically impossible. Any query could be answered by interrogating a copy of the github version of the server and returning the answer.
4. jhugo+W[view] [source] 2021-04-07 15:17:09
>>mikece+(OP)
How could that possibly work? The API endpoint of a malicious modified server could just return whatever the API endpoint of the non-malicious non-modified server returns.
[go to top]