> Even if it were "open source", you would have no proof that the actual production code was the open source version.
There are ways to prove that. You can provide reproducible builds, where someone who builds the software will end up with bit-for-bit identical binaries to the production version. Then, anyone can verify that the available binary matches the available source.
There are ways to prove that. You can provide reproducible builds, where someone who builds the software will end up with bit-for-bit identical binaries to the production version. Then, anyone can verify that the available binary matches the available source.