[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [linux-elitists] Surveillance



----- Forwarded message from "D. Joe" <deejoe@xxxxxxxxxxxx> -----

Date: Sun, 8 Sep 2013 15:15:48 +0000
From: "D. Joe" <deejoe@xxxxxxxxxxxx>
To: linux-elitists@xxxxxxx
Subject: Re: [linux-elitists] Surveillance
User-Agent: Mutt/1.5.20 (2009-06-14)

On Sun, Sep 08, 2013 at 06:58:08AM -0700, Don Marti wrote:
> begin Greg KH quotation of Sat, Sep 07, 2013 at 09:14:31PM -0700:
> > But what else needs to be worked on?  What gaps do people feel we have
> > that are cauing problems that we can solve with technological measures,
> > not just legal ones?
> 
> A repository of deliberately subverted packages
> for some key components?   Not just to show what's
> possible when Bad Builds Happen to Good Software,
> and call attention to it, but to give people some
> real scenarios to work through.

A little less . . . equinimity . . . in the face of unauditable blobs,
maybe?


Getting back to deterministic builds, Eugen has mentioned Tor's efforts with
regard to deterministic builds, and I think we get the nugget of what
deterministic builds entail in the context of a single system vis a vis a
centralized repository, but consider:

  https://blog.torproject.org/category/tags/deterministic-builds

Working out the conventions for this could diffuse the targets of
malefactors' subversion attempts against source repositories, against binary
repositories, and against build environments.

Think of it, perhaps, as a web-of-trust applied to the build process, or
DVCS meets web-of-trust meets grid computing.

A great deal of the "build from source" enthusiasm revolves around making
customized builds.  To the extent that these are one-off efforts (even if
done on a grand scale, as Marc has described), they don't yield to
distributed end-to-end auditing of the code, from source to object.

With the ability to compare the code at each end of the build toolchain,
perhaps subcommunities of interest will have more incentive to share details
of their more specialized efforts: So they can groom each other for bugs in
the build environment.

-- 
Joe   On ceding power to tech companies: http://xkcd.com/1118/
man screen | grep -A2 weird
  A weird imagination is most useful to gain full advantage of
  all the features.

_______________________________________________
Do not Cc: anyone else on mail sent to this list.  The list server is set for maximum one recipient.
linux-elitists mailing list
linux-elitists@xxxxxxx
http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk