LWN: Comments on "Security software verifiability"

Security software verifiability

deepfire — Sat, 24 Aug 2013 12:14:54 +0000

Gitian, as suggested above, is, AIUI, a better choice, as it allows cross-verification by independent parties.

Security software verifiability

jospoortvliet — Sat, 24 Aug 2013 08:49:32 +0000

Would building binaries on a public service like an openbuildservice.org not be a huge help in determining if binaries are build from the source they are supposed to be build from? With OBS and its ability to repeatedly build exactly the same thing you could repeat a build and md5sum the resulting binaries, compare to what you've got installed...

You could even run a local OBS instance (build from the code yourself, if you like) and repeat builds done on the public one if you don't trust it...

Security software verifiability

zooko — Fri, 23 Aug 2013 15:24:11 +0000

I just posted a follow-up on the cryptography@randombit.net list:

http://lists.randombit.net/pipermail/cryptography/2013-Au...

Security software verifiability

zooko — Fri, 23 Aug 2013 14:36:55 +0000

It's not clear to me about the availability and licensing of Silent Circle's code. They have several different products, and I can't tell if the current binary releases distributed through the phone app stores correspond to any of the source code that has been posted. I rather doubt it, as the source code hasn't been updated in at least 5 months: https://github.com/SilentCircle

Also I haven't seen a licensing declaration about how we are allowed to use the source code.

Security software verifiability

zooko — Fri, 23 Aug 2013 14:33:44 +0000

Bitcoin uses gitian now: https://en.bitcoin.it/wiki/Release_process

Security software verifiability

pj — Thu, 22 Aug 2013 13:20:33 +0000

I believe gitian (http://gitian.org/) is a workable solution to this; multiple builders mean it's difficult to compromise *all* of them.