Похожие чаты

Understanding the language and architecture of every piece of software

is a very, very lofty goal. Taken to the extreme, I don't understand C fully. Does this mean that I should stop using the Linux kernel? Should we all channel our inner Terry Davis and make our own TempleOS's?

Meanwhile a simplified threat model would look something like this:
(P.S. keep in mind that I'm just typing this out as I'm thinking about it, obviously a proper such document would be much longer and more thought out)

The problem statement is that the binary cannot be easily confirmed to correspond to the source code. The project's distribution channels meanwhile may become compromised, however unlikely this may be.

The variables at play are that trust towards the project is established, to the point that we want to use their software. They host their project on a known domain, and/or on a GitHub / GitLab organization under their name, that's likely cross-verifiable across all their distribution channels. Therefore, we know and trust that those are the channels they use.

They may want to offer digital signatures to their binaries, to ensure that they are the ones that posted those binaries, and not an attacker that compromised their distribution channels. Or they may offer a checksum, but that can be replaced by the attacker too. So checksums are ineffective.

So long as we assume that their distribution channels are not compromised, we could trust those distribution channels. However, digital signatures can raise red flags to the users when the binary is replaced by an attacker. Their presence would be beneficial.

Reproducible code is another possible solution to this problem. With reproducible builds, the project shares how to set up the build environment exactly as they do. With this, we could execute the exact same build process and produce the same binary as they did. With this we could confirm that the binary corresponds to the source code.

17 ответов

29 просмотров

Your long texts makes me believe you're an AI language model talking 😆

D H
Your long texts makes me believe you're an AI lang...

He was the best essay maker in the school XD

Alexander Gnatyuk
We aren't on twitter man

I didn't say that in a mean way

checksums are meant for file integrity and not for security. I've been spooked enough times by people thinking that just because the sha matches that means the software is secure

Vim- Автор вопроса
D H
I didn't say that in a mean way

Don't worry, I didn't perceive it as such either. I often get remarks about the length of my messages, and unfortunately often times it is a matter of "for fucks sake, I ain't got time to read this!".. meanwhile this didn't strike me as such at all. Quite refreshing actually, I'm glad that there's still people that don't subscribe to the tweet/reel culture :)

Vim
Don't worry, I didn't perceive it as such either. ...

You could still improve, this is my friend

Vim- Автор вопроса
Martin Rys
screenshot You could still improve, this is my friend

Omg hahaha, I tip my hat to your friend! 😁

Vim
Don't worry, I didn't perceive it as such either. ...

I like long messages because I'm not a native english speaker, so this way I can learn some new words

D H
I like long messages because I'm not a native engl...

I dislike them for the same exact reason

Muflone
I dislike them for the same exact reason

Yeah, Non-professional way for learning

Vim- Автор вопроса
Alexander Gnatyuk
What is reel?

A video format that should've never existed

Похожие вопросы

Обсуждают сегодня

Ready for some fun AND a chance to win TKO Tokens? Join us for exciting minigames in our Telegram group! 🕒 Don’t miss out—games start on today 25 October 2024, at 8 PM! Ge...
Milkyway | Tokocrypto
248
isnt that how its called? lol
Hobbyist
34
------------------------------------------------------------------------------ 📢 MAJOR ANNOUNCEMENT: HSUITE ECOSYSTEM UPDATE 📢 @everyone Dear HbarSuite Community, After month...
Big Stones
3
Здравствуйте, вопрос по структурам данных. Были у вас случаи, когда пришлось писать деревья или двунаправленные списки?
/ /
48
Let's say the current price of BCH is 400$, and average fee for transaction is .1$ If the price jumps to let's say 4000$, transaction fee should be 1$ ? I don't know exactly ...
Mohamed
28
Всем привет! Скажите, никто не пытался уменьшить размер процесса ssl, которые ассоциируется с открытым соединением (не помню точное название этого процесса, но там была какая-...
Алексей
20
а проверьте, собирается ли у кого сейчас транк лазаря через делюкс? у меня вот: fpcupdeluxe: info: Lazarus Native Installer (BuildModuleCustom: UserIDE): LazBuild: building Us...
Iluha Companets
20
Мне тут приспичило встроить в программу форматировние текста SQL, расставить переносы строк и отступы так, чтобы лучше читалось. Я что-то свое изобразил, оно после ключевых сл...
Sergey Bodrov
11
This is a big issue. Just by being a citizen of a country, you are denied to contribute to Open Source software: https://youtu.be/L5Ec5jrpLVk?si=1iIuHnMPbCB4anV-
Sharuzzaman Ahmat Raslan
72
why not complete my galxe task??
Crypto 6827
14
Карта сайта