john saylor <[email protected]> writes: > On 4/22/14, 14:37 , Edward Ned Harvey (blu) wrote: >> You're saying, that the only way anybody in the world can trust >> anything, is to literally download everything from source, *read* >> all the source, and compile it themselves. > > instead of just calling "bs" can you suggest some other means by which > you can trust crypto software? > > if you're not doing this work [source examination and local compile] > then what are you basing your trust upon? > > someone else's word? someone else's audit report? what other means are > available to you?
There's always FIPS 140 certification: http://oss-institute.org/latest-news/248-openssl-announces-new-fips-140-2-validation- But it appears that the testing labs doing that insist that at least they themselves get to see the source code: http://www.albany.edu/acc/courses/ia/acc661/sp800-29.pdf I would agree that my studying all the source code I run isn't realistic. (Nonetheless it's nice to daydream about running a system simple enough where that's almost feasible -- minix? plan 9?) I've spent hours here and there this week just trying to read enough X source to figure out whether I'm right in thinking I need to do the following to use the security extension or if there's a more direct way and whether there's a way to mark XVideo as a secure extension. The documentation isn't very clear about what access you already need before running xauth generate. (trusted_user) $ xhost +si:localuser:untrusted_user (trusted_user) $ su -l untrusted_user -c xterm (untrusted_user) $ xauth generate :0 . timeout 10000 (trusted_user) $ xhost -si:localuser:untrusted_user (untrusted_user) $ firefox & mplayer & etc. Auditing everything I use would be too much time, and I don't have the skill. It's the wider world I'm counting on, but ideally, it would be a wider group than a single company's development department or that company plus a single government test lab. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
