Reproducing distributed binaries

phobos at rootme.org phobos at rootme.org
Thu Aug 18 03:30:34 UTC 2005


Well, we publish the rpm spec file so you can build your own rpm here:
http://tor.eff.org/cvs/tor/tor.spec.in which is also in the source
tarball.

Feel free to submit the trivial script to do as you suggest below, we'll accept it.

The binary releases are also signed with the developer's key.  Such as
http://tor.eff.org/dist/rpm/tor-0.1.0.14-tor.0.fc1.i386.rpm.asc.


On Wed, Aug 17, 2005 at 09:46:36PM -0500, packwidth at gmail.com wrote 4.7K bytes in 88 lines about:
:  I know that this topic has been discussed quite exhaustively with  
: regard to other security applications, but here it goes again:
: 
:  What is necessary to determine that the binaries that are  
: distributed are actually compiled from the source tarball (same  
: checksum)?
: [This is assuming, of course, that one checks out the source and the  
: install scripts included with the binaries.]
:  I assume you'd need to use the same compiler, compiler version, and  
: compile options.  Anything else?
: 
:  I anticipate several responses suggesting that I just use the  
: binary that I compiled in order to test the distributed version!  But  
: there are advantages to using the prepackaged version (ie ease of  
: installation and distribution across several systems).  It would be  
: trivial to write a script to grab the tarball and the binary package,  
: uncompress and compile the source (according to compile specs  
: provided in the tarball?) then compare the two.  The script would  
: also output the diffed source (and install scripts) (from the  
: previous version) to let you examine the changes in the source code.
: 
:  If there were several people running a script like this with every  
: release, it would be considerably easier to detect the presence of a  
: trojaned binary package.
: 
: Any thoughts on the matter?
: 
: Cheers,
: Phil



-- 



More information about the tor-talk mailing list