Our solution to this issue is to allow updates for the service code at any issue, given that the update is made clear initially (as discussed within our recent CACM post) by adding it to some tamper-proof, verifiable https://mixbookmark.com/story3754353/not-known-details-about-a-confidentiality-data-breach-results-from
