On Fri, Nov 15, 2002 at 06:45:45PM -0500, Alex Snow wrote: > If you want to make sure the webinstaller hasn't been messed with, just sign > it with something like gpg. Oh yes it's all so simple we sign the webinstaller in fact we don't even need to do that we just insert it under an SSK. </sarcasm>. The problem is that we need to be able to revoke and/or update the signing key, otherwise a Bad Guy who got the key could destroy most of the network just by distributing compromized nodes. > Explorer has caused a general protection fault in module kernel32.dll. I'm > sick of Winblows! > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, November 15, 2002 9:30 AM > Subject: [freenet-support] Re: [freenet-dev] Getting rid of the last central > point of failure > > > > >For a while now, we have been working on the distribution servlet, which > > >is basically designed to allow people to give copies of Freenet, together > > >with seednodes, to their friends > > > > erm - why? doesn't there exist some webinstallers? just bundle a > webinstaller (or even a webinstaller-installer) with your seednodes and mail > them away to > > the new user. > > hu will then receive this mail with some installing instructions/installer > files and can build up hus (sounds stupid :p) node. > > the needed jar files can be d/led fom /snapshots/, or, if you think this > may be potentially tainted somehow, d/led by a minimal-fred provided by the > installer > > from the freenet under a CHK or SSK-site, which will contain all releases > of fred, inserted by the developers. > > either way you will have a weak spot: the program that installs fred. > either it will report you to someone or download a modified fred and install > that one on > > your system. or you can not guarantee that your /snapshot/ files are > valid, if you point the new user to the url to let him download the files > all by himself. > > one possible way is to mirror the released snapshots and version within > freenet, so noone can touch them, but to be able to rerach them, you already > have > > to be able to access freenet, this speaks for a mini-fred, which will > download the files for you. but the miniinstaler can be tainted, too, > leaving you with a loop > > of possible weak points. > > > > i personally have no clue how you can make *sure* a user gets untainted > files if the user does not have already freenet access. > > > > maybe it would be wise to start a new site within freenet, which will > mirror the developers' cvs tree and snapshots *done by a trusted person > (=devl)*, so one > > can be sure, the /snapshots/ files are not the only location to get one of > the newer builds (it is possible to modify streams from a webserver, so you > can be > > sure, it is possible to modify the response to your "get some file from > snapshots" in that way, that you will receive a modified fred which can harm > your > > anonymity) > > > > so at least you can make *sure* the user will stay "clean" if you start > inserting the snapshots within freenet and use a SSK'ed site to gather them, > too > > > > ---~~--- > > > > geeh - i think i have to read my mails more often so i've got to add > something to General Discussion, nearly all of my topics have been adressed > so far by > > others ;) > > > > > > > > _______________________________________________ > > support mailing list > > [EMAIL PROTECTED] > > http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support > > > > _______________________________________________ > support mailing list > [EMAIL PROTECTED] > http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support >
-- Matthew Toseland [EMAIL PROTECTED] [EMAIL PROTECTED] Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/
msg02171/pgp00000.pgp
Description: PGP signature
