Why trust gpg4win?

Julian H. Stacey jhs at berklix.com
Fri Jul 26 16:57:43 CEST 2013 

"Mark H. Wood" wrote:
> On Fri, Jul 26, 2013 at 12:14:08AM +0200, Julian H. Stacey wrote:
> > Hi, Reference:
> > > From:		atair <atair04 at googlemail.com>=20
> > > Date:		Thu, 25 Jul 2013 21:17:43 +0000=20
> >=20
> > atair wrote:
> > ...
> > Therefore, changes that look like
> > back doors are VERY unlikely to find their way in a release, because
> > hundreds of people are looking how the software evolves and will
> > reject such a patch.
> > ...
> >=20
> > Yes, malign code would have to hide in plain view in source (& most
> > likely evil patches wouldn't get past the view of the people commiting
> > the `improvement' to the source repository ;-).
> >=20
> > However you missed the point that many MS users are not programmers,
> > & will not be compiling their own binaries, so any malign entity
> > could regularly hack their nasty extras in, compile & issue binaries
> > that dont match published source (sure that would breach licence,
> > but irrelevant to an evil doer), & those without access to exactly
> > the same set of compiler tools would not easily knowof embedded
> > evil extra mods.
> 
> But it takes only one person who can and does do this inspection, to
> reveal the evil deed.  

Not likely to happen regularly, per release, Analysing MS binaries.

I've no longer any idea how many different C compilers may currently be
available for MS, (I long ago gave up compiling for MS PCs :-)

I've never seen any net site that offers .exes to run on MS
that states exactly which compiler assembler linker etc was used &
in which order modules & libs were linked etc.

Knowing MS, they probably slip a mickey in as a tracer, & vary the generated
.exe according to which compiler (if theirs) licence number built it. 

One can't assume whoever offers a .exe has used a the same free GCC
compiler for MS aka http://www.cygwin.org that we might by default
reach for.

It would be hard Work, comparing & analysing different _binaries_
not _sources_ to differentiate benign irrelevant differences from
link order & tools used, & maybe date stamp & trace of compiler
host & licence number, as opposed to possible differences from to
malign source manipulation,

I wouldn't waste time working unpaid analysing MS binaries to protect
clueless MS end users.  More fun to develop source code for projects.
I assume the vast majority would see it the same, most would only
get interested if someone waved money at us to analyse binaries for
MS end users.

The same BSI https://www.bsi.bund.de/EN/Home/home_node.html that a
previous writer would prefer to distrust, I'd also consider perhaps as
a sponsor to pay independent consultants to analyse &/or generate
binaries for public use ... & not just for GPG.

Then the question: If government paid someone to do that, how could
we (the end user, this list, or the paying sponsor) trust that
person ?  The old Roman
	http://en.wikipedia.org/wiki/Quis_custodiet_ipsos_custodes%3F

Solution:
  Get a collection of companies & governments or EU etc to sponsor
  generating of binaries on a custom compiler host where all parts
  of entire OS are read-able under http:// & ftp:// & where that
  host also offers a copy of itself so people can download a
  checksum'ed copy of image of host so people can run a clone & see
  the checksums are same.

  Could be fun work !
  ( It's fascinating how such projects start & grow & funded, at a lecture
  2 days back to 300 in Munich on 24th July 
	 https://gnunet.org/tor2013tum
  2 Americans from
  	https://www.torproject.org 
  mentioned some of their users include US government, which was
  why when one arm of US goverment proposed blocking them, they got
  told by another arm of US goverment: Don't do that, we use them too!
  Some of torproject sponsors are arms of government
	https://www.torproject.org/about/sponsors.html.en 
  So similarly, best not assume BSI is bad, or good, it might be a mix,
  not that I know.

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Reply below not above, like a play script.  Indent old text with "> ".
 Send plain text.  No quoted-printable, HTML, base64, multipart/alternative.

More information about the Gnupg-users mailing list