[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-desktops
Subject: Re: [Secure Desktops] Introducing a public db for software and firmware hashes
From: Gabriel Scherer <gabriel.scherer () gmail ! com>
Date: 2016-11-11 14:57:52
Message-ID: CAPFanBFP4nE7QNoophkk7LY_UtQNJNk0xy8SKcd_jSCN5zTXTA () mail ! gmail ! com
[Download RAW message or body]
Hi,
Your email or the website make no mentions of the form of software
(sources, binaries, distribution packages...) that you suppose is to
be hashed. Do you intend it to be format-agnostic (and have, maybe,
separate hashes in the base for the source and various distribution
packages), or to be "the canonical version distributed to end-users",
or have a more specific form of software packages in mind?
(I understand that this effort, especially if format-agnostic, is
orthogonal/complementary to the work on reproducible builds that is
gaining steam at https://reproducible-builds.org/ )
On Fri, Nov 11, 2016 at 9:40 AM, Joanna Rutkowska
<joanna@invisiblethingslab.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi, I've recently created this simple repo:
>
> https://github.com/rootkovska/codehash.db
>
> ... which is an attempt to somehow addresses a problem of software and firmware
> "verifiability" (the word is somehow loaded, hence in quotation marks).
>
> I imagine that once more and more vendors, such as e.g. Tails or Subgraph, or
> secure messenger app devs, or various firmware projects (coreboot, Trezor,
> OpenWRT, etc) agreed to stick to this format, we could expect each of them to
> submit hashes + signatures with each new release of their software. These
> hashes would then be subsequently verified and submitted by other witnesses.
> Each person or organization will be free to host a repo similar to the one
> above, only with the "proofs" from the select witness they consider somehow
> trusted or meaningful.
>
> Any comments welcome!
>
> Cheers,
> joanna.
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCAAGBQJYJdhRAAoJEDOT2L8N3GcY++UQALSpFDHBqOPRYdpUzyUIicLR
> 6Rh3scyzizQogoAk2dPTMJw3J/bKBljybxL4PtxEXzbY2eITw128Bu8M0vno4rzY
> G/UCFPus5tUcrqoZcX0+usqfZzr2zStG5kNIaW2tCf9AkUrCgcyNZSBUNnXSTADJ
> Eb7U85YnhZnVw5qeqAaCgoA0uYiOB7xIWj4hB+g8LJXHJXjvit4vttylH5x2HOsx
> Dxer7GSEMaPKy2yvt7Q4Z+KyXhvfLiF93FAy/kj6WLUXOBlk4e+J+mw7x6fe2yiK
> 3Eiy7nHp/bxMgowTqZiPqy/nYZIS02ArhavkNphTYa/cCqCZFwpKRTQa73bvdIca
> 8KebY2/1J+yVfG1SZdaSrU0GKDAvjz/a9AYiGlEn4lBgvctyhnw8OTdE0vOw2M3T
> 9aMFq5BGt7FIAWygTrxI34ucj9aU1Q4QEpw5C1i7grIPEMAAPt09ST/7Ypc9TGcu
> 28UIWlmz/UVdR/wsJzT8BpnRMdZcfRg9hp/+/xs8CSYgCs0xS8NUmuVvlPMmIewB
> MqrQo+sqU3J0QYN2WdMX1f4gkjT5x8oitI1MTTLiX8mXAXpR4o/I4AwEY6tzfcfa
> 4ntbnmmeeKqCwKLGhRQAi2pzSb7k0AOPNJDFBdeScPswfV0lTUozXC9sdy+g03cg
> h4j990kcnAryDze7CAHu
> =VY0L
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Desktops mailing list
> Desktops@secure-os.org
> https://secure-os.org/cgi-bin/mailman/listinfo/desktops
_______________________________________________
Desktops mailing list
Desktops@secure-os.org
https://secure-os.org/cgi-bin/mailman/listinfo/desktops
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic