Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
	helo=mx.sourceforge.net)
	by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <wendel@314t.com>) id 1V6yUJ-0003oy-Oi
	for bitcoin-development@lists.sourceforge.net;
	Wed, 07 Aug 2013 07:48:57 +0000
X-ACL-Warn: 
Received: from mail-we0-f174.google.com ([74.125.82.174])
	by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1V6yUH-0003zm-Tn
	for bitcoin-development@lists.sourceforge.net;
	Wed, 07 Aug 2013 07:48:55 +0000
Received: by mail-we0-f174.google.com with SMTP id q54so1245266wes.33
	for <bitcoin-development@lists.sourceforge.net>;
	Wed, 07 Aug 2013 00:48:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=x-gm-message-state:sender:subject:mime-version:content-type:from
	:in-reply-to:date:cc:message-id:references:to;
	bh=lSskHxaI+eRZX1u/KgQDHIgs8JZqFbJAvOOGX/+tYwg=;
	b=VgekmfNf9Quvnvrk1rDrq2rRBEmU/YUmIkCeHjrmRCDxwYFniQhOUpQiEIeGko7d/k
	08XO8PbvZJJxcS1dtIpLwqL09eMSN2FrEJl+gOR/xJ/Or2i2O3Rkyzevc+bXG9ikG3A1
	V+zKaPySgnjuPMI8MdDa+acDibhUQfb9osl3YLDdSScwR6P6LIVhrcy9h2yj8kzlK/ee
	rgLNTvFdrOmA6a9qrwD9Q8lk3EPCK/FyeqclLNQgTZqcobP2+zUVO2QjKCmw10NLZwbR
	bfgaiIIXPS3IVzbj1wpDVdI9X0gYvGG9zTqZEBmd/E1fLwNSKou1CHeBiwDRm5HNmbgb
	P3gQ==
X-Gm-Message-State: ALoCoQmLq6/1qGLantnEgV+p1kLmn3kHbh79qhjLfjjV+xdh9K01kUo+DpJMCBAqMQnq53SQar/t
X-Received: by 10.194.9.229 with SMTP id d5mr1287897wjb.66.1375861727632;
	Wed, 07 Aug 2013 00:48:47 -0700 (PDT)
Received: from [127.0.0.1] ([82.221.102.245])
	by mx.google.com with ESMTPSA id bt8sm7176336wib.8.2013.08.07.00.48.43
	for <multiple recipients>
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Wed, 07 Aug 2013 00:48:46 -0700 (PDT)
Sender: w grabhive <wendel@314t.com>
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/signed;
	boundary="Apple-Mail=_AFADAF3D-909B-40DD-B7E5-5F017BEC76EE";
	protocol="application/pgp-signature"; micalg=pgp-sha1
From: Wendell <w@grabhive.com>
In-Reply-To: <09169cb2-cc59-4261-84e9-0769ec72af6b@email.android.com>
Date: Wed, 7 Aug 2013 06:32:08 +0200
Message-Id: <4E4E5921-E8BF-4274-A062-EF1FBC331C95@grabhive.com>
References: <EE3869FD-6D83-469A-BF4F-31B79CA9950F@grabhive.com>
	<51FFCA9A.6010208@gmail.com> <51FFD722.5090403@gmail.com>
	<09169cb2-cc59-4261-84e9-0769ec72af6b@email.android.com>
To: Peter Todd <pete@petertodd.org>
X-Mailer: Apple Mail (2.1283)
X-Spam-Score: 4.4 (++++)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	1.5 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
	[82.221.102.245 listed in psbl.surriel.com]
	0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
	[82.221.102.245 listed in dnsbl.sorbs.net]
	1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
	1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
	[Blocked - see <http://www.spamcop.net/bl.shtml?82.221.102.245>]
X-Headers-End: 1V6yUH-0003zm-Tn
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Safe auto-updating
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 07:48:57 -0000


--Apple-Mail=_AFADAF3D-909B-40DD-B7E5-5F017BEC76EE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

That multisignature/blockchain commitment idea seems really solid, =
Peter.

Thanks very much indeed everyone, this is all very helpful. Much to =
research and think about.

Interestingly, a thread is presently raging on liberationtech about Tor =
Browser Bundle, and the subject of automatic updates has come up. =
Gregory Maxwell responded thusly (cross-posting for completeness):

> _please_ don't deploy automatic updates in a sensitive environment
> like this without at least quorum signatures (like gitian downloader)
> and timed quarantine with negative signatures (harder to make strong
> absent a jamming proof network).

-wendell

grabhive.com | twitter.com/grabhive | gpg: 6C0C9411

On Aug 5, 2013, at 7:49 PM, Peter Todd wrote:

> Gregory Maxwell had some good ideas along these lines at the san jose =
conference. Extending gitian with these kinds of features would be a =
good approach.
>=20
> But I think its worth thinking about attack models. A huge danger with =
auto-updating is that it is easy to target individuals; if I leave =
auto-updates on I am essentially trusting the developers capable of =
signing an update not to specifically try to attack me in the future, a =
much more risky thing to do than simply  trusting them not to release a =
malicious release.
>=20
> Sure you can try to implement anonymous downloads and similar =
mechanisms, but they all tend to be fragile with regard to =
deanonymization attacks.
>=20
> A better way is to ensure that the act of making a release available =
for download must be public, even if you can control what binaries are =
made available to a particular target. You can do this by putting a =
commitment in the blockchain itself. Each person on the signing list =
creates a transaction with a special form from a specific pubkey that =
commits to the digest of the binaries, and the auto-update code refuses =
to update unless it sees that special transaction with a sufficient =
number of confirmations. The developers now can't make a special release =
for a specific target without letting the world know they did so, even =
under coercion.
>=20
> They developers could of course still make a release with code inside =
targeting a specific individual, but in theory at least the public can =
check if their builds are reproducible, and start asking questions why =
not?


--Apple-Mail=_AFADAF3D-909B-40DD-B7E5-5F017BEC76EE
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)

iQIcBAEBAgAGBQJSAc3IAAoJECAN2ykHU5Y6vdkP/ir6wYcnnq2zDq8asRIe09Qd
vKYlx/zB7hXo/scdcJ1OQV126I1ts17io6TuoNB+r34DbYeMo9T20bGJd/ywUQ9w
vRoKSW5hql75ZPOdq5DtBjVGWVms6q1vTHvOYxhW85mlp77NP0dpkuRWYnzGqSXV
P0MzeWL07PZ3RskpbAs7XoCYzURw7shwJyYCqkhHCb0mXv4FzpoxC0UwMSMI7SkI
NKJcVbAp6xcZgsCbGxV6acBUTO/dB5h7UuLEzsRT6pD1O/Dvi3ODp6n5hMMv8MMp
LVJNAeBcMS870D5sE87ZVBepjIWYxFLF0joNMPhJl9q5pTjKnedttPssxnCZv+Cy
F7sqJsb9p0lLrLw1fKDuUx4PBmkd3/aVK1zOPfrArzC7x7pWFVqQAo8PHXpRhusr
eA/2aS0upsWFxxz1k1s6iYop95I+OHGHB/C7NaX2/3oPv9hHv0F2qQgTLF1HCRGU
iZSFQDZonaaA5cMtCPhXkhqMRLefjE2KT27L72eTmEV1qTUeOY6KseoOBNW90IKj
+d/yQ9H8DwRxWld10Dn7nHKLidxfsguDi5/FwGLlVhzrv0+15jEhZ8Tu0Rors24T
0D76YWSO9HcP/8RQX8d10ypjQNDCDHO46mFGR5tP9Muw9L591iji4z+QYAMOq/Uo
WWLd4BnNM33OZu5r3JT4
=ycn/
-----END PGP SIGNATURE-----

--Apple-Mail=_AFADAF3D-909B-40DD-B7E5-5F017BEC76EE--