Re: Why trust any software?

Tue, 06 Aug 2013 08:57:39 -0700 



On Tue, 6 Aug 2013, Mark H. Wood <mw...@iupui.edu> wrote:


On Mon, Aug 05, 2013 at 12:31:13PM +0200, kardan wrote:
[snip]

Also many linux users look strange at me if I say I do compile parts
of my debian system.


Heh, but then Gentoo Linux users will look at you strangely if you say
that you *don't* compile parts of your system. :-)


Fri, 26 Jul 2013 09:22:32 -0400
"Mark H. Wood" <mw...@iupui.edu> wrote:


Well, Windows users who aren't programmers, who switch to e.g. Linux,
will then be Linux users who aren't programmers, so this alone changes
little for the individual.  He is still dependent on others in the
community.  That is quite alright -- an important part of PKC is for
people to find out for themselves who is reliable and form open-eyed
trust relationships.


Can you please explain what you mean by PKC in this context?


Sorry -- public key cryptography.


Do you know of signing mechanisms for developers to
 A have special keys for signing code changes
 B sign each others keys to approve they are knowledged enough to
 understand and check the code reliably.
 C sign a piece of software/patch/commit with it


I don't see how this is different from a community building trust
relationships for email.


? Also it is interesting to differ between source and binaries -
tracking source changes and builds separatedly or even confirm a
trust chain with a combination of both.


I suppose that you could rig a compiler to compute signatures over the
sources it reads and incorporate these signatures into the binary.
Likewise the linker.  The whole toolchain would have to be carefully
considered and modified to suit.  I haven't heard of anyone doing
that.  (Someone will now point out that we would be reposing even more
trust in the toolchain, making its verification more important.  Yes.)

--
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Machines should not be friendly.  Machines should be obedient.


Here is one recent effort along this line of defense:

https://bitcointalk.org/index.php?topic=83743.0

oo--JS.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users























					Reply via email to