Hi There, AK wrote:
Sorry - not trying to be too critical here, but them sounds like weasel words - 'mostly taken' and 'can be'. Without having *all* source verified by cryptographic signatures or otherwise, you're probably increasing the chances of rogue code running, rather than mitigating it with binaries.Sorry forgot to answer your first question.The sources are mostly taken from already quite trusted sources and can be verified by PGP signatures. You can also read the sources and since they get compiled on your computer, you know that what you read is what you get. Also, other people can read the sources and give reviews and you will know that those reviews actually correspond to what is running on your system.
Reviews take too long - by the time a 'negative' review is out - it's too late, there will be systems that are running compromised code.
My first suggestion - all source / binaries being cryptographically verified.
P. _______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk