On Sun, Mar 6, 2016, at 11:44 AM, Holger Levsen wrote:
Hi,
On Montag, 29. Februar 2016, Spencer wrote:
[auto update] a threat model we must take more seriously. we are making real progress.
Like what?
https://reproducible-builds.org has the very long answer and https://reproducible.debian.net shows the status for Debian in great detail. (And these pages have links to the status of other projects as well.)
... and also: https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds
+n
Hi,
Holger Levsen: https://reproducible-builds.org and https://reproducible.debian.net
Thanks!
Nathan Freitas: https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds
Thanks!
However, even though reproducible-builds seems to address the manual install as well, which is good, I read the problem as being the actual backdoor of auto-update.
Since my Dad will not be able to make this verification, removing auto-update from the package is the only real resolution here.
Besides, given the broken/missing auto-update opt-out in packages like OrFox, it is difficult to trust the developers, since it is the user who defines "malicious".
Wordlife, Spencer
-
Nathan Freitas -
Spencer