Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But how do you know that the build you verified yourself is the one that is running on their server? It would be amazing to solve this problem - are there any solutions?


End-to-end yousually means client to client. So all you need to verify is client code.


Intel SGX, if you trust Intel. But the amount of code that runs on SGX is limited so usually you'd run only critical parts there.

A practical example: https://signal.org/blog/private-contact-discovery/


Wow! That is an interesting issue.

I was thinking of having a third-party trusted services that compares the hash of the deployed application to the one they independently compiled themselves.

But the complexity is nontrivial and there is enough variations between the output of the same source code across different build environments that would make hashes useless.

Another possibility is having trusted compilers that would send link the source code to the build in a trusted repository.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: