Sam Gentle.com

Code escrow

There's been a big push in security-conscious projects, particularly Debian, to have what's called reproducible builds. The problem they solve is that open source lets you verify that the source code does what you expect and there's nothing nefarious in it, but how can you get the same assurances for the pre-built binaries that most people download? Only by having a set of steps that deterministically produce an identical set of binaries, so if you trust the source, and you trust the build process, you can trust the binaries.

The security of reproducible builds is mostly an open-source thing, but it occurs to me that it could also be relevant even when the source is closed. Sometimes closed-source projects want to make their source available in a limited way, for example as part of a security audit. However, even if you trust the auditor, this still leaves a problem in that there's nothing stopping a malicious company from adding or changing things before the audited code is built into the binaries that end-users run.

And, although I haven't seen it, it might be useful for a company to use a kind of deferred open-source license to make their own shorter-term copyright. A problem with that is how do you guarantee it would happen? The company would need to contribute its source regularly to a trusted third-party, but you'd still have the same issue as with the auditors: how do you trust that the code that they've been given is what you're getting when you download the application?

I think the answer to all of these is a kind of code escrow service. If your closed-source project uses reproducible builds, you provide access to the source code and the build chain to the code escrow. They audit the code, or just hold onto it, or whatever trusted source code thing you need done. Whenever you publish a new binary, the code escrow can certify that their version of the build generates the same binary.

For something like a security audit, that might mean that they only verify certain versions, or certain components, but for a deferred open source project it would mean that you can trust that the entire source code used to create that version will become available in the future.