For all the newcomers that aren’t aware, I just stumbled upon this insane drama.
Apparently lemmy.ml [http://lemmy.ml] is the result of a reddit sub ban of a
bunch of pro-china bots who vigorously defend the Chinese government, and the
two top admins are also the top devs of the Lemmy source software. Pretty
terrible stuff! The linked thread is full of their insane ramblings and
denialism Edit: I seem to have been blocked from commenting, all my replies are
timing out now. But I wanted to say that I don’t intend to make this post as an
“anti-lemmy” thing, I think the truth should burn brightly in the sunlight. We
should try to continue to grow Lemmy (especially since we’re the largest reddit
clone) while calling out their propaganda and hidden motive. Edit2: turns out I
can comment, I just can’t reply to kbin user comments from my instance. Just
spins indefinitely.
To your first point, you'd have to be able to verify the code that's actually running on the server, which I don't think is possible without having admin access to the server. Any kind of test which involved sending challenges to the server could be cheated--even if you did devise a randomized scheme which could only be passed by running the code you're testing for, the server could just run a second instance of the clean code in the background used solely for that purpose. As long as all the public interfaces (both the UI and API) are the same, you'd be none the wiser. The only thing I could imagine working are side-channel attacks like measuring response times (e.g. if certain responses take longer than expected there might be additional code being run) but I have no idea how feasible that is for this particular situation and it's possible to defend against such attacks with careful coding.
But that's all made moot by your second point, at least from the perspective of an admin running their own instance, provided they audit the relevant parts of the code.