[tor-talk] Pirate Linux]
Peter Tonoli
peter+tor at metaverse.org
Sat Aug 6 02:47:45 UTC 2011
Hi There,
AK wrote:
> Sorry forgot to answer your first question.
>
> The sources are mostly taken from already quite trusted sources and
> can be verified by PGP signatures. You can also read the sources and
> since they get compiled on your computer, you know that what you read
> is what you get. Also, other people can read the sources and give
> reviews and you will know that those reviews actually correspond to
> what is running on your system.
Sorry - not trying to be too critical here, but them sounds like weasel
words - 'mostly taken' and 'can be'. Without having *all* source
verified by cryptographic signatures or otherwise, you're probably
increasing the chances of rogue code running, rather than mitigating it
with binaries.
Reviews take too long - by the time a 'negative' review is out - it's
too late, there will be systems that are running compromised code.
My first suggestion - all source / binaries being cryptographically
verified.
P.
More information about the tor-talk
mailing list