Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider providing a way to verify the code in this repository against production #96

Open
markcellus opened this issue May 3, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@markcellus
Copy link

Is your feature request related to a problem? Please describe.
Hey! I really like the concept of Community Notes and I appreciate this is open-source. However, there doesn't currently appear to be a way to verify that the code in this repository is the code that is actually running on the web experience. This classifies as a feature request, but could also be considered a security issue as well.

Describe the solution you'd like
A way for any user to technically verify that the code in releases made to mobile and web application for Community Notes is the same code running in this repository.

Thanks for any information!

@maietta
Copy link

maietta commented Aug 1, 2023

Aside from displaying the git commit timestamps and commit hashes on the website/app, I don't know of a good solution.

The only other feasible option would be a 3rd party, independent DevOps verification team who could verify these deployments and provide the status reports publicly.

I think it's on us to trust that the algo is what's being used in production.

@jbaxter
Copy link
Collaborator

jbaxter commented Aug 14, 2023

Love this. Very open to suggestions. Currently, we do release a note_status_history.tsv file which contains note status histories. It is possible (although very high-effort) to run the public code on the data at each time step: since we only run the algorithm once per hour, on the hour in production, you can pass every individual hour as a timestamp to main.py to filter out all ratings newer than that timestamp. Then you'd have manually verified that the public code, run on the public data, can re-create note_status_history.tsv (which you can verify matched production via screenshots or a web-archive-type approach). Be aware that caching and eventual consistency delays can cause it to take up to an hour in some cases for new note scores to propagate everywhere. So basically it is currently possible to do this verification, although is way too much effort, and I'd love to think of something much simpler to allow external verification more akin to a checksum.

@jbaxter jbaxter added the enhancement New feature or request label Aug 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Development

No branches or pull requests

4 participants
@jbaxter @markcellus @maietta and others