[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-desktops
Subject: Re: [Secure Desktops] Introducing a public db for software and firmware hashes
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2016-11-11 15:14:22
Message-ID: 20161111151421.GC2734 () work-mutt
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Nov 11, 2016 at 09:57:52AM -0500, Gabriel Scherer wrote:
> Hi,
>
> Your email or the website make no mentions of the form of software
> (sources, binaries, distribution packages...) that you suppose is to
> be hashed. Do you intend it to be format-agnostic (and have, maybe,
> separate hashes in the base for the source and various distribution
> packages), or to be "the canonical version distributed to end-users",
> or have a more specific form of software packages in mind?
>
We can hash whatever that makes the most sense for a particular project. E.g.
for an OS project like Qubes OS or Tails, it makes most sense to hash the final
ISO. For a popular distro like Debian or Fedora, it might make lots of sense to
additionally have hashes of all the packages from the stable apt/yum
repositories.
For a project like some secure communication app, which is distributed via
github.com and the user is expected to build it herself, it might make most
sense to give the hash of the sources for the given release (git commit id if
you're into SHA1).
For an embedded project like OpenWRT, where one can build a trillion of
binaries, depending on the config used, again it will make more sense to give
the hash of the sources (e.g. for 15.05.01). (Of course, in case of OpenWRT this
makes no sense actually, as it does attempt to wget and/or git clone some
sources during its build process _without_ checking their digests. Although,
admittedly, for majority of others it does check the hashes indeed, it's
irrelevant, because only one "wget|bash" is needed to destroy everything.)
> (I understand that this effort, especially if format-agnostic, is
> orthogonal/complementary to the work on reproducible builds that is
> gaining steam at https://reproducible-builds.org/ )
>
Of course. Because what good is it that I can build something reproducibly, if I
cannot compare my result with others?
joanna.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYJeBNAAoJEDOT2L8N3GcY9yAP/R2bnZ+JHu+pVX1gHVaISmqV
sMAY8bB1MvkLBVMaTi9GLJbFvFmWPlju+abLX0bMo/G4F6cAJrQDxxOn4URYNpv5
DYfo4cvuDUEtp40vx3qntnEaQ18vZ1cCAL4X2yseSmUgR/wAsMMO/iltRxMtQkUn
MW33bYHemx1RuTclECBPcpVZTpm2dowfBzsRn6bEs+flDOIw0/kMHA1AQUDfVEoV
oPR1YU6ejOux6AxghMOTpbb9YcxEFXMz3kqgLBaZP0y2d8PL1Ipuhn6pjgWvgIEz
SElRxuKLU9fIPrMsxbPeozUPEqrEi8l07IZA4u1d9LdgIhXgatgEcVsKm40HXAZX
39nT2d7fntogtQuU3gyIebW+ZsMqF/8/yTR76HswRkYY1BbfEhrtYHZtJiGckP1e
wOoAiCEEwiCOUBkwDLmxA7DTzYUuZcJ7aX6UJ+8dr96BdKPZ4C2qmPKrd5lz73X3
vx5IjKVbWJVZ42ofvsTxWSRWf7W3NGf+SbXfASv4UO20O7+WMffP50qrWq+dOOhT
EN3f/D7LytGg6q1Owe4+Iv6BaBcOvyj4+lIYuf12UcCgiDtYBLtnuGjiY6mHDC+b
Fa1N6CC+ZH5+eCbK8FvwpUA9yWUhHooU/yDkcy6YsL5dcE4bDusu0rKA9si14IMc
vaClckWgMp+kswWMk5c+
=+a//
-----END PGP SIGNATURE-----
_______________________________________________
Desktops mailing list
Desktops@secure-os.org
https://secure-os.org/cgi-bin/mailman/listinfo/desktops
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic