GoldBug SF projects [was: Bittorrent Bleep]
On Fri, Sep 19, 2014 at 12:57 AM, Randolph <rdohm321@gmail.com> wrote:
Hi Grarpamp uh? The post was just, that bleep messenger is not open source and I would not use it. Instead there is firefloo as open source and it has binaries to download, which I evaluated. A mobile version of that would be cool, but I cannot compile this. The website seems to be run by the QXMPP developer. If you want to build it yourself, I think the developers added the information here https://sourceforge.net/p/firefloo/code/HEAD/tree/trunk/branches/0.09/Docume... or for the used library I think here https://sourceforge.net/p/spot-on/code/HEAD/tree/branches/0.12/Documentation... as I have never compiled firefloo, I can try to do that with Qt and if successful provide a script after the weekend, but dont relay on me for that. But if possible, I send it to you. Regards
If you are able to compile a binary that sha-256 matches the distributed binary, yes, please do make your compilation script and platform notes available. No, do not send it to me, send it to the list. As to the "uh?" above ... Search results for info on this family of sourceforge applications are slim and don't really inspire the level of confidence this type of crypto software would typically require... empty profiles, empty mailing lists, no CV's, no whitepapers (there is a goldbug manual), no presentations... no obvious email addresses... the claim to be working with EFF and CCC... and likely the same folks mimicing TBB below ... all of which has been said before. You seem to be the one most familiar with the projects, only one on the net posting about them (plus Thomas), only one to know anything, seemingly chatting in the devel channel... http://sourceforge.net/p/goldbug/mailman/goldbug-forum/ More people here would like to welcome these new projects provided they meet some of the usual community standards suitable for crypto projects. If you (or more specificaly, whoever is behind these) are playing anonymous or somesuch, and this cluster of projects on sourceforge is legit, accept my apologies, I'm sure you understand where people are coming from. Doing a little more digging and CC'ing some potential relevants for comment... Regarding firefloo ...
The website seems to be run by the QXMPP developer.
I don't find any obvious forward references to SF from anyone seemingly affiliated with qxmpp. The backwards tree... http://firefloo.sourceforge.net/ http://sourceforge.net/p/firefloo/wiki/Home/ http://qex.users.sourceforge.net/ qexmpp http://manjeetdahiya.users.sourceforge.net/ Manjeet Dahiya http://amit1097.users.sourceforge.net/ Amit Jaiswal The forward tree... http://code.google.com/p/qxmpp/ qxmpp at googlegroups.com http://code.google.com/u/manjeetdahiya/ manjeetdahiya at gmail.com http://code.google.com/u/jeremy.laine/ jeremy.laine at gmail.com http://code.google.com/u/109046035500614130948/ 0xd34df00d at gmail.com https://github.com/qxmpp-project qxmpp at googlegroups.com https://github.com/manjeetdahiya http://manjeetdahiya.com/ manjeetdahiya at gmail.com http://www.cse.iitd.ernet.in/~dahiya/ dahiya at cse.iitd.ernet.in https://github.com/jlaine http://www.jerryweb.org/ a6a9316d247390d196dbdc16960648c0-1457464 at contact.gandi.net http://www.sailcut.com/ jeremy.laine at m4x.org 0xD2CF64921ACE2687 https://github.com/0xd34df00d 0xd34df00d at gmail.com http://0xd34df00d.me/ 0XD34DF00D.ME at domainsbyproxy.com https://plus.google.com/109046035500614130948/posts http://leechcraft.org/our-team Regarding goldbug, again no obvious forward references ... The backwards tree... https://www.facebook.com/pages/Goldbug/765809276783788 http://goldbug.sourceforge.net/ http://sourceforge.net/projects/goldbug/ http://sourceforge.net/u/berndhs/profile/ Bernd H Stramm http://sourceforge.net/u/mikeweber/profile/ Michael Weber https://www.google.com/search?q="michael+weber"+(crypto|goldbug) https://www.google.com/search?q="wwwmichi at gmx.ch" http://sourceforge.net/projects/goldbug/files/goldbug-im_WIN_1.1/GoldBug_Sec... er_Manual_1.1.pdf/download http://en.wikipedia.org/wiki/Draft:GoldBug_(software) http://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/GoldBug_(softwa...) https://lists.torproject.org/pipermail/tor-talk/2013-July/029107.html thomasasta at googlemail.com (Thomas Asta) http://es.listoso.com/diaspora-discuss/2013-07/msg00013.html https://mailman.stanford.edu/pipermail/liberationtech/2013-July/010344.html http://lists.gnupg.org/pipermail/gcrypt-devel/2013-July/002257.html http://lists.gnupg.org/pipermail/gnupg-users/2013-July/047137.html http://comments.gmane.org/gmane.comp.peer-to-peer.waste.discuss/218 https://www.mail-archive.com/otr-users@lists.cypherpunks.ca/msg00429.html http://marc.info/?l=openssl-users&s=goldbug http://marc.info/?l=openssl-dev&s=goldbug The forward tree... https://launchpad.net/~bernd-stramm bernd.stramm at gmail.com 0x4604458E https://github.com/berndhs https://twitter.com/berndhs https://plus.google.com/113338680925263376814/posts https://www.facebook.com/public/Bernd-Stramm Regarding some of the other projects, same issues ... http://spot-on.sourceforge.net/ http://sourceforge.net/projects/spot-on/ http://sourceforge.net/u/textfield/profile/ Alexis Megas "Echo Protocol" http://pidgin.im/pipermail/devel/2013-August/023115.html http://en.wikipedia.org/wiki/Echo_(communications_protocol) http://bitmail.sourceforge.net/ http://sourceforge.net/projects/bitmail/ http://sourceforge.net/u/mikeweber/profile/ Michael Weber http://sourceforge.net/u/cholinek/profile/ Damian Cholewa http://sourceforge.net/u/donnico/profile/ Nicola De Filippo http://sourceforge.net/u/dontinelli/profile/ Don Tinelli http://dooble.sourceforge.net/ http://sourceforge.net/projects/dooble/ http://sourceforge.net/u/textfield/profile/ Alexis Megas http://browser4tor.sourceforge.net/ http://sourceforge.net/projects/browser4tor/ http://torbrowser.sourceforge.net/ http://sourceforge.net/projects/torbrowser/ http://sourceforge.net/u/doobleaner/profile/ messengerfan http://sourceforge.net/u/sergeyvar/profile/ Sergey V http://interface.sourceforge.net/ http://sourceforge.net/projects/interface/ http://sourceforge.net/u/berndhs/profile/ Bernd H Stramm http://sourceforge.net/u/doobleaner/profile/ messengerfan http://sourceforge.net/projects/starbeam/ http://sourceforge.net/u/marcomu/profile/ Marco M Someone else can search more.
https://cpunks.org//pipermail/cypherpunks/2014-September/005507.html
Reply in thread please.
the point was that I would not use bleep messenger from bittorrent, as it is not open source.
The point in this particular thread is... that since day one you and your project developers are ignoring real concerns being raised about your apparent cluster of projects.
Others like the one you did a research on might be worth for further testings, either by the binaries
Why don' t you test the binaries?
7) Ask a friend [...] to use the binaries: exchange keys, and chat. Done. All is encrypted and you never need to exchange keys.
Your repeated classic dodge... suggesting that people run blobs instead of answering the question. The 'research' was posted to throw up red flags about these projects for anyone searching so the can see and form their own opinion. The world does not need more closed source. And it does not need more non-reproducible binaries. ESPECIALLY from software projects claiming to protect users privacy through encryption, and further enticing the masses to run them by putting cute little doggies on the tin.
The source and the binaries might not be machting from hash, because if you know source projects, the source might be corrected on one or two files even when the binaries have been build.
Fix your code then. Reproducible builds are a MUST for any security/privacy project like yours.
So better build the software from source and use your own binaries. I would suggest to build the crypto core first, which is spot-on.
I cannot help you with compile firefloo messenger on linux or windows, as I have not done this yet.
I'm not going to waste time attempting to build stuff that apparently no one but you and or your devs have been able to build. And I'm not going to waste time disassembling the binaries either. Post your SHA-256 reproducible build instructions on the wiki's for your projects. Then ask for build confirmation/review from the community. Until you either ... A) Quit distributing binaries or B) Tell people in a COMPILING doc included in the sources how to make binaries that SHA-256 match the ones you distribute and then C) Answer why you claimed to be announced/partnered with EFF/CCC (which they have both denied [1]), why you are continuing to mimic the Tor homepage/TBB, why you're directly spamming people with invites, why you are dodging these and other questions, and generally appearing and acting very unusual for an opensource privacy suite ... no one is going to believe these projects are anything but untrustworthy snake oil. Help us help you. In my opinion at this time, these (your) projects have serious trust issues and I wouldn't recommend them until resolved. And while this list isn't perfect or comprehensive, those needing privacy solutions have other options to choose from here... https://www.prism-break.org/ License issues... http://www.gossamer-threads.com/lists/gnupg/users/62118 An example of a decent model announcement and request for review, that your seeming sockpuppet then replied to with a lure... https://lists.torproject.org/pipermail/tor-talk/2014-March/032498.html Old stuff... (RetroShare?) http://nabble.documentfoundation.org/Instant-Messenger-for-Libre-Office-serv... ss-and-open-source-td2595287.html http://comments.gmane.org/gmane.os.haiku.devel/18674 Can anyone provide an overall interpretation in English of posts? http://moenchengladbach.hopto.org/k/buecher/cd0001/instit/org/Aktion_Grundre... /AKV-mailarchiv-2009-201310/author.html http://moenchengladbach.hopto.org/k/buecher/cd0001/instit/org/Aktion_Grundre... /AKV-mailarchiv-2009-201310/26906.html Ps: To date, none of the people potentially related to these projects that I previously CC'd seeking comment from have replied either. [1] Official Comments EFF: https://lists.torproject.org/pipermail/tor-talk/2013-July/029129.html CCC: Subject: [rt.ccc.de #40481] False press using EFF / CCC? goldbug.sf.net
participants (1)
-
grarpamp