[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] "Safeplug"



On 11/22/2013 16:53, Red Sonja wrote:
How can one be sure that firmware that is running on the router is
built from this particular source code and not from some modified
version or different revision?
Hashes?

The ability to build it from sources?

If you search you can find a few other solutions.

Nope, there is no solution. Hash can only prove it comes from this vendor, it doesn't establish vendor trust. You practically can't prove that firmware is built from the particular source since it is practically impossible to duplicate the build environment for any complex project from the real world.


Also how can one be sure that one extra service wasn't added on top
of this open source?
Go for your own compile and see what's broken.

Sorry, this doesn't make any sense.

Open source only makes sense when built and installed by the party
interested in security, or maybe when it is built by some trustworthy
organization, like some trusted linux distro, and not just some
random commercial company without any reputation.
Not really. How about the tor project? Trust comes precisely from this
open source, open review. In fact, Tor is one step above: it's Free
Software.


Yes, trust comes with the open review, and transparent build process.
None of these is possible with firmwares supplied by commercial companies. Therefore, no trust. Product in its original form is pretty much useless for what it is advertised.

However, there are many useless products on the market, and commercial success doesn't seem to correlate with "usefulness". So I only wish them well in their endeavor. Nice try anyway.

Yuri
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk