On Wed, 08 Jun 2016 11:41:14 +0000, CANNON NATHANIEL CIOTA wrote: .... > Open source and compiling from source is best option. Hopefully there > are enough programmers that are able to interpret the source code > examining it. Although the source code may be good, most users do not > compile from source. Most users install pre-compiled binaries. If I was > an adversary I would have the source code clean and have a backdoor in > the pre-compiled binaries knowing most people do not compile from > source.
That's why tor is doing reproducible builds. > Most people is all it takes for a sybil position in the network. > To mitigate such a thing, one good solution would be to replace 'apt-get > install tor' I'd tend to trust debian to do their thing right, at least as much as I trust my own verification of what I downloaded to build tor. > with instructions of how to download, verify integrity, and > compile from source; in guides aimed at aspiring Tor node operators and > advanced users. Data point: https://github.com/apk/buildery/blob/master/tor-build/build.sh This is with building openssl, and has issues that the LD_LIBRARY_PATH needs to be correct when starting it. Should perhaps throw a -Bstatic in there. Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk