yuri at rawbw.com
Sun Nov 24 02:23:01 UTC 2013
On 11/22/2013 16:53, Red Sonja wrote:
>> How can one be sure that firmware that is running on the router is
>> built from this particular source code and not from some modified
>> version or different revision?
> The ability to build it from sources?
> If you search you can find a few other solutions.
Nope, there is no solution. Hash can only prove it comes from this
vendor, it doesn't establish vendor trust. You practically can't prove
that firmware is built from the particular source since it is
practically impossible to duplicate the build environment for any
complex project from the real world.
>> Also how can one be sure that one extra service wasn't added on top
>> of this open source?
> Go for your own compile and see what's broken.
Sorry, this doesn't make any sense.
>> Open source only makes sense when built and installed by the party
>> interested in security, or maybe when it is built by some trustworthy
>> organization, like some trusted linux distro, and not just some
>> random commercial company without any reputation.
> Not really. How about the tor project? Trust comes precisely from this
> open source, open review. In fact, Tor is one step above: it's Free
Yes, trust comes with the open review, and transparent build process.
None of these is possible with firmwares supplied by commercial
companies. Therefore, no trust. Product in its original form is pretty
much useless for what it is advertised.
However, there are many useless products on the market, and commercial
success doesn't seem to correlate with "usefulness". So I only wish them
well in their endeavor. Nice try anyway.
More information about the tor-talk