Daniel Kahn Gillmor writes: > This sounds very much like the idea of certificate transparency (CT), > but applied to source code or binaries. Have you considered raising > this with the CT folks? I'm also interested in seeing something like > this in other contexts (e.g. debian and other OS distributions) and if > we had a simple, generic way to ensure that everyone was getting the > same code as everyone else, that would be very nice. > > I recognize that debian might have some slightly different challenges in > terms of logs than just an HTTPS-E ruleset update; but if you're > interested in exploring where those mechanisms might overlap, i'd be > happy to have that conversation with you.
I've made this comparison explicitly in a couple of talks recently, but I haven't made contact with the CT developers about it. I think it would be quite productive; another question is whether this deserves (or already has?) its own mailing list somewhere. -- Seth Schoen <[email protected]> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
