You know if you want to make some form of investment, you might like make an attempt to look them up on the internet, check the phone number in a phone book or directory enquiries, look for references and reviews?
So it is with the hash of the binary you are about to trust with your investment funds. I dont think its such a difficult question. Ask your more technical friends to confirm this hash is correct. Its interesting that hashes are more trustworthy than signatures, since all the NSLs and backdoors, its hard to trust a signature. I have the same problem with linux distros that want to install hundreds of components downloaded over the internet, based on signatures. I would far rather a merkle hash of the distribution at that point in time, which authenticates directly any of the optional downloadable components. (Or better yet a distro that like comes on a CD and doesnt download anything... Amazing how most CD and even DVD iso images immediately download stupid things like fonts??? What were they thinking? I downloaded fedora > 4GB of stuff and they need to download a font just to get past step 2 of the installer? Thats a sensless, retrograde, selective backdoor opportunity.) Adam On Fri, Jan 03, 2014 at 11:22:35AM +0000, Tier Nolan wrote: > On Fri, Jan 3, 2014 at 9:59 AM, Drak <[1]d...@zikula.org> wrote: > > Which is why, as pointed out several times at 30c3 by several renowned > figures, why cryptography has remained squarely outside of mainstream > use. It needs to just work and until you can trust the connection and > what the end point sends you, automatically, it's a big fail and the > attack vectors are many. > <sarcasm>I can just see my mother or grandma manually checking the hash > of a download... </sarcasm> > > Maybe a simple compromise would be to add a secure downloader to the > bitcoin client. > The download link could point to a meta-data file that has info on the > download. > file_url= > hash_url= > sig_url= > message=This is version x.y.z of the bitcoin client > It still suffers from the root CA problem though. The bitcoin client > would accept Gavin's signature or a "core team" signature. > At least it would provide forward security. > It could also be used to download files for different projects, with > explicit warnings that you are adding a new trusted key. > When you try to download, you would be given a window > Project: Some Alternative Wallet > Signed by: P. Lead > Message: > Confirm download Yes No > However, even if you do that, each trusted key is only linked to a > particular project. > It would say if the project and/or leader is unknown. > >References > > 1. mailto:d...@zikula.org >------------------------------------------------------------------------------ >Rapidly troubleshoot problems before they affect your business. Most IT >organizations don't have a clear picture of how application performance >affects their revenue. With AppDynamics, you get 100% visibility into your >Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >_______________________________________________ >Bitcoin-development mailing list >Bitcoin-development@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/bitcoin-development ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
