We need source code verification for canisters

We know we can check the WASM hash of a canister and developer can expose WASM code from their source code on github. There is also a complicated steps to verify code integrity of a canister Creating reproducible canister builds | Internet Computer

However, I think we are missing a fundamental component to tell end users that

  1. whether the frontend canister you are interacting is open sourced. If yes, where is the source code
  2. when the frontend canister makes network calls to other backend canisters, tell users which of them are open sourced and which are not. If open sourced, where is the source code of the downstream backend canister
  3. a place to search for canisters and check the transaction (API calls) request and response history. This may be impossible to implement natively but there should be a SDK for developer to use to expose logs

I think this is crucial for a public blockchain. If it’s hard / near impossible for normal users to verify the code integrity, or at least being assured the code is open sourced given that most users cannot read code, then we can’t say it’s a public decentralized computing platform. And that is a major reason why people don’t believe in ICP per some of my friends opinion.

Also, this provides near feature parity with mainstream blockchains which people are familiar with. This disparity confuses/scars/blocks people to use IC. If most of apps on IC are not open sourced, it is no different from web2. Why people would use IC instead of normal web2 app on AWS?

You can argue that it is the responsibility of developers to open source their dapp and provide a user friendly way to prove the canister is indeed running with that source code. However, without a standard mechanism for both devs and users to easily check that, it would be hard to make that a norm hence hardly make IC a public blockchain

To my understanding, this is possible to be built. Dfinity, do you agree this is important and is there a roadmap for this?

Another possible argument is that all of the dapps out there build their website using AWS and 1% of the component is hosted on Ethereum and you don’t even know whether the frontend/backend is calling the right smart contract with the right request and show users back with the untampered response. They are no better, right?

Well, users can at least check the transaction detail real time on etherscan (or polygonsan etc) and this provides integrity in some level. Whereas on IC, the problem is you don’t know what is running. Telling users canister is unstoppable, untampered and deterministic makes no difference.