On Thu, 15 Jan 2015, carlo von lynX wrote:
On Thu, Jan 15, 2015 at 12:50:41PM -0500, Richard Brooks wrote:
Actually, you also need to have source code for the compilers
used and the compiler's compilers...
Yes, we have those. We have systems completely produced from
source and others that are working on complete reproduceability.
If anyone would like a decent intro and overview of why this is important
and what the current state is, Mike Perry's and Seth Schoen's presentation
from CCC is worth the time:
http://media.ccc.de/browse/congress/2014/31c3_-_6240_-_en_-_saal_g_-_201412271400_-_reproducible_builds_-_mike_perry_-_seth_schoen_-_hans_steiner.html#video
Sadly, given what we know about the current state of play and the actors
involved (state-based, non-state, ad-tech companies, etc) it's sadly the
case that we can't trust binaries made in the US if the public can't
reproduce the build from source. This is tragic both for users and for
US firms in this space. This is not tinfoil-hat terrain. The good news
is every incremental step towards that goal - reproduceable builds from
public source - brings some benefit. So no need to be cynical or feel
helpless. Axolotl seems like a good first step; maybe it'll be a gateway
drug to ChatSecure.
Brian
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at compa...@stanford.edu.
