Re: [OpenWrt-Devel] HTTPS for binaries

Thu, 02 Jan 2014 00:27:43 -0800 

On Thu, 2 Jan 2014, Peter Lawler wrote:


On 01/01/14 23:11, Weedy wrote:

If this really bothers you, you build from source. And vet the source code
before building images.

This is what I do for my clients.


Someone also mentioned this approach on the trac issue[0], so I'll use
same comments here as well. No offence meant by not personalising it :)

---

Someone asked me earlier today about how a 'self built' approach
alleviates the chicken and egg problem of the compiler[1]
why should you trust the compiler used by the project more than the compiler on your system?
In any case, don't the people you are trying to defend against have the power to forge SSL certs as well? (by being able to get some CA that your system trusts to sign a cert that they control) so even if you downloaded via HTTPS they could still mitm your download.
I would suggest that you turn your concerns closer to home. How do you know they haven't put malware on your hard drive the way that this page shows can be done? http://spritesmods.com/?art=hddhack
not to mention the possibility of your smartphone being hacked by it's charger, and then being used to hack the rest of your system.
There are so many ways in that modifying the source code you download in a way that will still compile on a project that changes as rapidly as openwrt is a very daunting task, and you should expect that they have far better uses of their time. 

David Lang


At minimum, I'd suggest maybe it'd be a better usage of
infrastructure/development time for OpenWRT to consider
reproducible/deterministic binaries[2][3] or am I showing my ignorance
of current practice of OpenWRT?

Cheers,

Pete.

[0] https://dev.openwrt.org/ticket/13346#comment:6
[1] http://cm.bell-labs.com/who/ken/trust.html
[2] https://wiki.debian.org/ReproducibleBuilds
[3]
https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Reply via email to