Most Security Assertions Dangerous [Re: YouTube via Onion Services]
zen at freedbms.net
Thu Dec 6 07:26:16 PST 2018
On Thu, Dec 06, 2018 at 03:25:05AM -0500, grarpamp wrote:
>  You can't even say those for the release iso's of
> OpenBSD, FreeBSD, the Linux's, etc... back
> to their claimed source code repos... because
> either those repos have no internal cryptographic
> roots or hashes to sign over or with in the first place,
> or some process in the path from there to the iso's
> is not reproducible or cryptographically chained.
Git style signed content hash chains and reproducible builds FTW
So Debian Buster is over 90%, yay!
>From 2015 80%:
Lots of progress for Debian's reproducible builds
To Buster ~92.4%:
“NO! … but buster on amd64 is 92.4% reproducible right now!”
To pretty dang gud bruh!:
Debian reproducible builds project update, 2017-07-23,
Stretch/amd64 reaching 94%
And some nice summary sheetskis and chartskis:
> Same goes for Apple, Microsoft, Intel, AMD, ARM,
> Government, etc...
> You're all still woefully fucked therein because you keep
> buying the Kool-Aid, and refusing to demand, fix,
> ignore, or eliminate them and their issues.
> #OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #CryptoCurrency
> , #Anarchism
> The list of requisites to even get close to improving
> the situation grows...
Improvement in problem definition is necessary, and is not an
"increase" in the requisites to e.g. security of personal
communications, simply a fuller understanding of the problem.
Alt: we are rising from ignorance. Painful but necessary awareness.
Let's add to the above list another obvious in hindsight:
#StackMinimization - including HW - i.e. trust boundaries (nee attack
surfaces) must be seriously minimized to reach something we can
collectively reason about in its elements (hw/ sw).
More information about the cypherpunks