[tor-talk] "Safeplug"

[Yuri]

On 11/22/2013 16:53, Red Sonja wrote:
>> How can one be sure that firmware that is running on the router is
>> built from this particular source code and not from some modified
>> version or different revision?
> Hashes?
>
> The ability to build it from sources?
>
> If you search you can find a few other solutions.

Nope, there is no solution. Hash can only prove it comes from this 
vendor, it doesn't establish vendor trust. You practically can't prove 
that firmware is built from the particular source since it is 
practically impossible to duplicate the build environment for any 
complex project from the real world.


>> Also how can one be sure that one extra service wasn't added on top
>> of this open source?
> Go for your own compile and see what's broken.

Sorry, this doesn't make any sense.

>> Open source only makes sense when built and installed by the party
>> interested in security, or maybe when it is built by some trustworthy
>> organization, like some trusted linux distro, and not just some
>> random commercial company without any reputation.
> Not really. How about the tor project? Trust comes precisely from this
> open source, open review. In fact, Tor is one step above: it's Free
> Software.
>

Yes, trust comes with the open review, and transparent build process.
None of these is possible with firmwares supplied by commercial 
companies. Therefore, no trust. Product in its original form is pretty 
much useless for what it is advertised.

However, there are many useless products on the market, and commercial 
success doesn't seem to correlate with "usefulness". So I only wish them 
well in their endeavor. Nice try anyway.

Yuri