Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1UNSAs-0001uq-7O for bitcoin-development@lists.sourceforge.net; Wed, 03 Apr 2013 18:12:42 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.220.182 as permitted sender) client-ip=209.85.220.182; envelope-from=grarpamp@gmail.com; helo=mail-vc0-f182.google.com; Received: from mail-vc0-f182.google.com ([209.85.220.182]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1UNSAr-0007WT-9Q for bitcoin-development@lists.sourceforge.net; Wed, 03 Apr 2013 18:12:42 +0000 Received: by mail-vc0-f182.google.com with SMTP id ht11so1699386vcb.41 for ; Wed, 03 Apr 2013 11:12:35 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.52.68.235 with SMTP id z11mr1783033vdt.107.1365012755774; Wed, 03 Apr 2013 11:12:35 -0700 (PDT) Received: by 10.220.115.7 with HTTP; Wed, 3 Apr 2013 11:12:35 -0700 (PDT) In-Reply-To: References: <20130401225107.GU65880@giles.gnomon.org.uk> <20130401225417.GV65880@giles.gnomon.org.uk> Date: Wed, 3 Apr 2013 14:12:35 -0400 Message-ID: From: grarpamp To: bitcoin-development@lists.sourceforge.net Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (grarpamp[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1UNSAr-0007WT-9Q Subject: Re: [Bitcoin-development] bitcoin pull requests X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2013 18:12:42 -0000 > Users will have available multisig addresses which require > transactions to be signed off by a wallet HSM. (E.g. a keyfob Hardware is a good thing. But only if you do the crypto in the hardware and trust the hardware and its attack models ;) For instance, the fingerprint readers you see everywhere... many of them just present the raw fingerprint scan to the host (and host software), instead of hashing the fingerprint internally and using that as primitive in crypto exchanges with the host. They cheaped out and/or didn't think. So oops, there went both your security (host replay) and your personal privacy (biometrics), outside of your control. All with no protection against physical fingerprint lifting. > This doesn't remove the need to improve repository integrity. ... but > repository integrity is a general problem that is applicable to many > things (after all, what does it matter if you can't compromise Bitcoin > if you can compromise boost, openssl, or gcc?) Yes, that case would matter zero to the end product. However having a strong repo permits better auditing of the BTC codebase. That's a good thing, and eliminates the need to talk chicken and egg. > It's probably best > that Bitcoin specalists stay focused on Bitcoin security measures, and > other people interested in repository security come and help out > improving it. An obvious area of improvement might be oddity > detection and alerting: It's weird that I can rewrite history on > github, so long as I do it quickly, without anyone noticing. If no one is verifying the repo, sure, even entire repos could be swapped out for seemingly identical ones. Many repos do not have any strong internal verification structures at all, and they run on filesystems that accept bitrot. Take a look at some OS's... OpenBSD and FreeBSD, supposedly the more secure ones out there... both use legacy repos on FFS. Seems rather ironic in the lol department. Thankfully some people out there are finally getting a clue on these issues, making and learning the tools, converting and migrating things, working on top down signed build and distribution chain, etc... so maybe in ten years the opensource world will be much farther ahead. Or at least have a strong audit trail.