[tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client

[Robert J. Hansen]

> I'm replying because, Sourceforge? They fell out of vogue...

For a service that's "out of vogue" they still host an awful lot of  
Free Software, and for that I think perhaps we should be a bit  
thankful.  Their bundling is distasteful, yes, but it's hardly the end  
of the world given they've only done it with the explicit permission  
of the projects involved.  Let's keep a sense of perspective and  
remember this is GnuPG-Users, not a Sourceforge list.

> 'Robert' should upload his binaries to Github.

Whenever I hear someone say what another developer 'should' do, I  
always mentally substitute 'I want this developer to...' instead.   
That seems quite a lot more honest.

That said, there are two major problems with this demand:

     * The 'Robert' who asked about BitMail never
       claimed to be the author and may not have
       the legal right to host the binaries

     * GitHub hasn't allowed projects to host
       binary files in well over a year.

So yes, there are good legal and technical reasons why your demand  
cannot be complied with.

> if the MD5 checksum on his compiled binaries matches the MD5 checksum
> on the source code when it is compiled independently, he's golden. That
> is how that works, how it is supposed to work. Accept no substitutes.

Goes against current US-CERT guidance, which deprecates MD5 for all  
purposes.  The newer SHAs are the way to go.  Further, getting two  
computers to generate the exact same binary code from the exact same  
source code is a surprisingly difficult challenge.  It requires a  
perfect match of everything from compiler versions to C library  
versions right down to identical *clocks* -- because often, compilers  
will incorporate timestamps into the output.

Doing checksum validation of source code is feasible.  Of binary code,  
not really.