On Fri, Mar 09, 2018 at 05:12:08PM -0500, Peter Todd wrote: > On Fri, Mar 09, 2018 at 12:19:47PM -0800, theinnovativeinven...@gmail.com > wrote: > > I was looking at the canaries, and I liked the idea of a proof of freshness > > with the latest news headlines. While people can't create canaries ahead of > > time, it is possible to conspire to modify or backdate one of them after > > they have been published. To prevent this, we could use a blockchain-based > > timestamp, where the hashes of each canary are placed within the blockchain > > of a powerful cryptocurrency. Something similar to these services: > > > > https://opentimestamps.org/ > > http://originstamp.org/home > > > > This way, if there ever is a interruption of canaries, followed by a court > > order or something forcing you guys to backdate a falsified canary or > > modify old ones, we will all be able to check. > > The easiest way to do this is to simply use the OpenTimestamps (OTS) git > integration. > This blog post explains how: > > https://petertodd.org/2016/opentimestamps-git-integration > > Addiitionally, while not covered in that blog post, OTS also supports a mode > where it rehashes the git tree in such a way that an efficient, SHA256-based, > timestamp proof can be extracted later for each file. In the next release this > will be done by default, but for now you have to add the --rehash-trees option > where the ots-git-gpg-wrapper command is called. > > FWIW, as of this week, Bitcoin Core maintainer Wladimir J. van der Laan > started > using OTS to timestamp Bitcoin Core commits and tags.
Is there any sensible way of installing OTS client securely? There is a chain of dependencies which are not packaged for neither Debian or Fedora (python-opentimestamps, bitcoinlib, pysha3, ...). And since pip rely only on https (so, integrity of its infrastructure), the only alternative is downloading sources manually, verifying its signature (after finding and verifying what key should really be used for that particular package), then installing it in /usr/local or such. And even if I'd do all that (I gave up after two iterations), then I need to manually track updates for all those packages. Otherwise I risk exposing my development environment for yet another attack vector. Well, by installing ots client I do that anyway, but by not updating that stuff, I make things easier for the attacker, because he/she could use publicly known, already patched vulnerabilities. I have better use for my time... I see two solutions for this problem: 1. Package all the dependencies for Fedora (preferred) and/or Debian. 2. Make a split-gpg-like integration so those possibly outdated/backdoored (pip install...) packages would run in separate VM (maybe even DispVM). I'm not sure about ots client interface, but the second approach may be not that hard to implement. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180310181911.GH4063%40mail-itl. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature