Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
So there's an interesting philosophical point here - we use an adversarial system to achieve consensus on the network's transaction record system (the blockchain) to prevent censorship. Yet here a three letter agency need only attack the single source of software updates to gain control.
Is there a way we can safely distribute or validate the correctness of our software in a censorship resistant manner?
It already does. pigeons will work on reproducible builds. As for the rest, we'd need to make sure it's hard to sybil. This all sounds a bit like "wouldn't it be nice if we all had flying cars". Sure, but you might notice the reason it's not there yet isn't that nobody realized it was a good idea (and I'm not sure about the flying cars one).
So, maybe, but not now.
Feb 21, 2017
0 of 10 checks passed
added a commit
this pull request
Feb 21, 2017
@NanoAkron they don't need to just compromise the website. They'd also have to compromise the hashes, which are GPG signed by me (on the website) and also in a DNSSEC-signed record (which is what the updater uses). Compromising my GPG key wouldn't compromise the website or the DNSSEC-signed record. Compromising the DNSSEC-signed record wouldn't compromise the website or my GPG key.
It would be nice if someone built a tool / hosted a site (eventually) that checked if the GPG-signed hashes correctly use my signature, and if the hashes match those in the DNSSEC-signed records.
I do not fully understand the mechanism and / or implications.
Arrived here via blog some time ago: https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
Now I'm looking at https://cryptonotestarter.org/inner.html and https://github.com/cryptonotefoundation/cryptonote
I should probably notify them and request update.