Most Security Assertions Dangerous [Re: YouTube via Onion Services]

Zenaan Harkness zen at
Thu Dec 6 07:26:16 PST 2018

On Thu, Dec 06, 2018 at 03:25:05AM -0500, grarpamp wrote:
> [1] You can't even say those for the release iso's of
> OpenBSD, FreeBSD, the Linux's, etc... back
> to their claimed source code repos... because
> either those repos have no internal cryptographic
> roots or hashes to sign over or with in the first place,
> or some process in the path from there to the iso's
> is not reproducible or cryptographically chained.

Git style signed content hash chains and reproducible builds FTW

So Debian Buster is over 90%, yay!

>From 2015 80%:
 Lots of progress for Debian's reproducible builds

To Buster ~92.4%:
 “NO! … but buster on amd64 is 92.4% reproducible right now!”

To pretty dang gud bruh!:
 Debian reproducible builds project update, 2017-07-23,
 Stretch/amd64 reaching 94%

 And some nice summary sheetskis and chartskis:

> Same goes for Apple, Microsoft, Intel, AMD, ARM,
> Government, etc...
> You're all still woefully fucked therein because you keep
> buying the Kool-Aid, and refusing to demand, fix,
> ignore, or eliminate them and their issues.
> #OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #CryptoCurrency
> , #Anarchism


> The list of requisites to even get close to improving
> the situation grows...

Improvement in problem definition is necessary, and is not an
"increase" in the requisites to e.g. security of personal
communications, simply a fuller understanding of the problem.

Alt: we are rising from ignorance. Painful but necessary awareness.

Let's add to the above list another obvious in hindsight:
#StackMinimization - including HW - i.e. trust boundaries (nee attack
surfaces) must be seriously minimized to reach something we can
collectively reason about in its elements (hw/ sw).

More information about the cypherpunks mailing list