On Fri, Mar 09, 2018 at 05:12:08PM -0500, Peter Todd wrote:
> On Fri, Mar 09, 2018 at 12:19:47PM -0800, theinnovativeinven...@gmail.com 
> wrote:
> > I was looking at the canaries, and I liked the idea of a proof of freshness 
> > with the latest news headlines. While people can't create canaries ahead of 
> > time, it is possible to conspire to modify or backdate one of them after 
> > they have been published. To prevent this, we could use a blockchain-based 
> > timestamp, where the hashes of each canary are placed within the blockchain 
> > of a powerful cryptocurrency. Something similar to these services:
> > 
> > https://opentimestamps.org/
> > http://originstamp.org/home
> > 
> > This way, if there ever is a interruption of canaries, followed by a court 
> > order or something forcing you guys to backdate a falsified canary or 
> > modify old ones, we will all be able to check.
> The easiest way to do this is to simply use the OpenTimestamps (OTS) git 
> integration.
> This blog post explains how:
> https://petertodd.org/2016/opentimestamps-git-integration
> Addiitionally, while not covered in that blog post, OTS also supports a mode
> where it rehashes the git tree in such a way that an efficient, SHA256-based,
> timestamp proof can be extracted later for each file. In the next release this
> will be done by default, but for now you have to add the --rehash-trees option
> where the ots-git-gpg-wrapper command is called.
> FWIW, as of this week, Bitcoin Core maintainer Wladimir J. van der Laan 
> started
> using OTS to timestamp Bitcoin Core commits and tags.

Is there any sensible way of installing OTS client securely? There is a
chain of dependencies which are not packaged for neither Debian or
Fedora (python-opentimestamps, bitcoinlib, pysha3, ...). And since pip
rely only on https (so, integrity of its infrastructure), the only
alternative is downloading sources manually, verifying its signature
(after finding and verifying what key should really be used for that
particular package), then installing it in /usr/local or such.

And even if I'd do all that (I gave up after two iterations), then I
need to manually track updates for all those packages. Otherwise I risk
exposing my development environment for yet another attack vector. Well,
by installing ots client I do that anyway, but by not updating that
stuff, I make things easier for the attacker, because he/she could use
publicly known, already patched vulnerabilities.

I have better use for my time...

I see two solutions for this problem:
1. Package all the dependencies for Fedora (preferred) and/or Debian.
2. Make a split-gpg-like integration so those possibly
outdated/backdoored (pip install...) packages would run in separate VM
(maybe even DispVM). 

I'm not sure about ots client interface, but the second approach may be
not that hard to implement.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: PGP signature

Reply via email to