[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Paul Harvey csirac2 at gmail.com
Thu Jul 30 05:47:47 UTC 2015

On 30 July 2015 at 14:05, James Ring <sjr at jdns.org> wrote:
> Hey Scott,
> On Wed, Jul 29, 2015 at 8:59 PM, Scott Ferguson
> <scott.ferguson.clug at gmail.com> wrote:
>> Downloading anything which is not verifiable, from a http source leaves
>> you open to MiM attacks - what you subsequently download may be not what
>> you think.
> Please tell me what you think you mean by "verifiable". :)
> https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

We can never get 100%, but that's no excuse to at least try to do
better. It's why I believe the reproducible builds project in Debian
[1] is a great start: rather than blindly trust even direct PGP
signatures on blessed binaries, we can also have entities
independently build in multiple instances to at least vouch that, for
a given set of sources, with a given toolchain, this exact sequence of
bits and bytes should be generated for a given binary.

A sort of poor-man's proxy for verification by way of consensus.

[1] https://wiki.debian.org/ReproducibleBuilds

More information about the linux mailing list