[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-desktops
Subject: Re: [Secure Desktops] Introducing a public db for software and firmware hashes
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2016-11-11 15:22:12
Message-ID: 20161111152212.GD2734 () work-mutt
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Nov 11, 2016 at 04:14:22PM +0100, Joanna Rutkowska wrote:
> On Fri, Nov 11, 2016 at 09:57:52AM -0500, Gabriel Scherer wrote:
> > Hi,
> >
> > Your email or the website make no mentions of the form of software
> > (sources, binaries, distribution packages...) that you suppose is to
> > be hashed. Do you intend it to be format-agnostic (and have, maybe,
> > separate hashes in the base for the source and various distribution
> > packages), or to be "the canonical version distributed to end-users",
> > or have a more specific form of software packages in mind?
> >
>
> We can hash whatever that makes the most sense for a particular project. E.g.
> for an OS project like Qubes OS or Tails, it makes most sense to hash the final
> ISO. For a popular distro like Debian or Fedora, it might make lots of sense to
> additionally have hashes of all the packages from the stable apt/yum
> repositories.
>
> For a project like some secure communication app, which is distributed via
> github.com and the user is expected to build it herself, it might make most
> sense to give the hash of the sources for the given release (git commit id if
> you're into SHA1).
>
> For an embedded project like OpenWRT, where one can build a trillion of
> binaries, depending on the config used, again it will make more sense to give
> the hash of the sources (e.g. for 15.05.01). (Of course, in case of OpenWRT this
> makes no sense actually, as it does attempt to wget and/or git clone some
> sources during its build process _without_ checking their digests. Although,
> admittedly, for majority of others it does check the hashes indeed, it's
> irrelevant, because only one "wget|bash" is needed to destroy everything.)
>
> > (I understand that this effort, especially if format-agnostic, is
> > orthogonal/complementary to the work on reproducible builds that is
> > gaining steam at https://reproducible-builds.org/ )
> >
>
> Of course. Because what good is it that I can build something reproducibly, if I
> cannot compare my result with others?
>
Also, in case it wasn't clear: the primary audience for such a DB should be
developers or admins (e.g. IT department in a large organization), I think. Not
users. Users are always somehow fated to trust the "last mile" vendor, and there
is little feasibility in implementing any form of trust distribution for them.
joanna.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYJeIjAAoJEDOT2L8N3GcYdCUP/0/xzMwVKdCGMovN9sOAStgL
VK5CuqJEddozkMxaiADuvgIX6/IE/2UCf7tEQG/IWBnlgzRNu6zqrkuOEWp6kyzv
PbVMzbtAQ5wxBcJHpnVhGzuCSpiOLO+SESXLVUj5ahR0qBgmrbTrLt4YSH4ACwHw
oVhM46Hl6t+fgHYiqiea2wqDNICGoowRmssLqOrIDaKKS4aiUxyMQU0svGej872K
mQvd4O0eAP7iY7hqqnh6T8wtIltCoRO9bOqKNi2k0s2ROXe3ihRrpLMC0cguJjZz
J9Ji5SdpvOI1V64SmcoxXHNcPgZtTIs+msTFHXW2d1KMKwR7xgIN84OZ6O4SHh9G
7C4A+0X/PgRzW5DrdV54qLLCNe1SEx/0m8/1L5stkqqw9xgeCSZRPABhf4YasKgQ
pZJUYDzu0sN+mF8AmXqPirjohOTt/g+pa06eRBpzPHBMnFc5JWtJ5ait2rBQ+xOo
50W+aMXInRvRAK3egimNLdsGUyhdgDhBxZSON2+I4JoRgWp1Ia25xy1L2Edb21V6
+i2P482wbAR+mcjlFOq73YzTY21ZGL0If5l2G3o2Nk8BbvVIe8myDrPM+sOslmaC
RH0ZbP1ysBskDJ10ebu8EjVNCuY+lzUOZa/2olEAPqysqG6ktlTuIMZR4d78BKrB
OBeQzBPXjtpED1B6G4z7
=Lc1e
-----END PGP SIGNATURE-----
_______________________________________________
Desktops mailing list
Desktops@secure-os.org
https://secure-os.org/cgi-bin/mailman/listinfo/desktops
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic