Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
So there's an interesting philosophical point here - we use an adversarial system to achieve consensus on the network's transaction record system (the blockchain) to prevent censorship. Yet here a three letter agency need only attack the single source of software updates to gain control.
Is there a way we can safely distribute or validate the correctness of our software in a censorship resistant manner?
It already does. pigeons will work on reproducible builds. As for the rest, we'd need to make sure it's hard to sybil. This all sounds a bit like "wouldn't it be nice if we all had flying cars". Sure, but you might notice the reason it's not there yet isn't that nobody realized it was a good idea (and I'm not sure about the flying cars one).
So, maybe, but not now.
It is simple, supports simple x.y.z type numeric versions, and does not attempt any kind of validation
It just checks and prints a message if there is a new version for now.
a5a0a3c core: updates can now be downloaded (and SHA256 hash checked) (moneromooo-monero) 216f062 util: add a SHA256 function (moneromooo-monero) 4bf7849 mlog: only silence errors for net by default, not net.* (moneromooo-monero) d282cfc core: test key images against validity domain (moneromooo-monero) efb72e7 http_client: add a couple consts (moneromooo-monero) f640512 Optionally query moneropulse DNS records to check for updates (moneromooo-monero) e3cae4a core: display any fork warning at startup too (moneromooo-monero) 969ad71 dns_utils: fix first checked DNS entry being ignored (moneromooo-monero) 08c3f38 util: add a vercmp function to compare version numbers (moneromooo-monero) e8a7525 dns_utils: factor TXT record loading code from checkpoint code (moneromooo-monero)
@NanoAkron they don't need to just compromise the website. They'd also have to compromise the hashes, which are GPG signed by me (on the website) and also in a DNSSEC-signed record (which is what the updater uses). Compromising my GPG key wouldn't compromise the website or the DNSSEC-signed record. Compromising the DNSSEC-signed record wouldn't compromise the website or my GPG key.
It would be nice if someone built a tool / hosted a site (eventually) that checked if the GPG-signed hashes correctly use my signature, and if the hashes match those in the DNSSEC-signed records.
I do not fully understand the mechanism and / or implications.
Arrived here via blog some time ago: https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
Now I'm looking at https://cryptonotestarter.org/inner.html and https://github.com/cryptonotefoundation/cryptonote
I should probably notify them and request update.