Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Hell, even if governments are squeamish about requiring code to be fully open and public, they can still require the manufacturers to privately submit to the government all code that powers public infrastructure (like trains), to be made available to any relevant party upon request.


An organisation that is prepared to write "sabotage" software would have no problem deploying software that is different to the software they submit.


Implying that's an impossible obstacle. Reproducibility is a thing.

Make it so code needs to be reproducibly buildable. Only reproducibly buildable artifacts can be deployed on hardware. Document the whole process.


Compile the code yourself?


Right. Mandate that the software is delivered with CI pipeline running in the client's environment with 100% reproducible builds and verify checksums.


Doesn't mean it's not a step in the right direction. Any transparency is better than zero.


> can still require the manufacturers to privately submit to the government all code

I wonder if companies purchasing trains could put code disclosure in the purchase contract? I wonder if, in aggregate, train purchasers or car purchasers could fund an independent code storage vault and pay a small premium to fund that code vault organization?

In other words, if purchasers wanted this and valued this, they would demand it in purchase contracts and fund it.


code escrow in general should be much more common.


then you just need to bribe the code reviewer(s). open source is still the better answer, good luck bribing every member of the public who could potentially read public code.


That would work only on paper. The financial interests involved are huge.


All the more reason for governments to insist.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: