Ok this is a stupid questions

Stefan Claas sac at 300baud.de
Tue Feb 26 21:28:12 CET 2019


Am Tue, 26 Feb 2019 13:57:01 -0500
schrieb vedaal at nym.hush.com:

> On 2/26/2019 at 10:29 AM, "Stefan Claas"  wrote:

>> I have learned in the past trust nobody. Therefore I would
>> not rely on  people from the GnuPG ecosystem and what they say.

> It depends on how realistic your threat model is.

Well, mine is actually very low, otherwise I would only read the
list via Tor, for tips and tricks and don't publish keys on key
servers, nor use smtp to submit encrypted messages. ;-)

> For example, has anyone you know, ever checked how the
> compilers work?  (Reviewed gcc's source code, and the hardware
> necessary to make it run, to ensure that nothing is
> 'added/subtracted/altered' when it gets to machine language? Even
> more difficult when it is a proprietary compiler.)

You bring up an interesting question, imho ... Let's assume the
tool chain is in good condition, but do you / we know if FOSS
coders use online computers to code and do we know if their computers
are hacked too?

And if so, do coders have always checksums handy (on paper) for
comparison or are superior Linux tools availabe which would
detect changes immediately?

And maybe another FOSS point? How about issuing Warrant Canaries?

I have seen that VeraCrypt does this.

Regards
Stefan



More information about the Gnupg-users mailing list