Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Adam Back <adam@cypherspace•org>
To: Tier Nolan <tier.nolan@gmail•com>
Cc: Bitcoin Dev <bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?
Date: Fri, 3 Jan 2014 14:09:11 +0100	[thread overview]
Message-ID: <20140103130911.GA12653@netbook.cypherspace.org> (raw)
In-Reply-To: <CAE-z3OV2jxwO0t2NcJSmJM5WH5aWZtSv3JxhFs0wNMA_PQ257w@mail.gmail.com>

You know if you want to make some form of investment, you might like make an
attempt to look them up on the internet, check the phone number in a phone
book or directory enquiries, look for references and reviews?

So it is with the hash of the binary you are about to trust with your
investment funds.  I dont think its such a difficult question.  Ask your
more technical friends to confirm this hash is correct.

Its interesting that hashes are more trustworthy than signatures, since all
the NSLs and backdoors, its hard to trust a signature.

I have the same problem with linux distros that want to install hundreds of
components downloaded over the internet, based on signatures.  I would far
rather a merkle hash of the distribution at that point in time, which
authenticates directly any of the optional downloadable components.

(Or better yet a distro that like comes on a CD and doesnt download
anything...  Amazing how most CD and even DVD iso images immediately
download stupid things like fonts???  What were they thinking?  I downloaded
fedora > 4GB of stuff and they need to download a font just to get past step
2 of the installer?  Thats a sensless, retrograde, selective backdoor
opportunity.)

Adam

On Fri, Jan 03, 2014 at 11:22:35AM +0000, Tier Nolan wrote:
>   On Fri, Jan 3, 2014 at 9:59 AM, Drak <[1]drak@zikula•org> wrote:
>
>   Which is why, as pointed out several times at 30c3 by several renowned
>   figures, why cryptography has remained squarely outside of mainstream
>   use. It needs to just work and until you can trust the connection and
>   what the end point sends you, automatically, it's a big fail and the
>   attack vectors are many.
>   <sarcasm>I can just see my mother or grandma manually checking the hash
>   of a download... </sarcasm>
>
>   Maybe a simple compromise would be to add a secure downloader to the
>   bitcoin client.
>   The download link could point to a meta-data file that has info on the
>   download.
>   file_url=
>   hash_url=
>   sig_url=
>   message=This is version x.y.z of the bitcoin client
>   It still suffers from the root CA problem though.  The bitcoin client
>   would accept Gavin's signature or a "core team" signature.
>   At least it would provide forward security.
>   It could also be used to download files for different projects, with
>   explicit warnings that you are adding a new trusted key.
>   When you try to download, you would be given a window
>   Project: Some Alternative Wallet
>   Signed by: P. Lead
>   Message:
>   Confirm download Yes No
>   However, even if you do that, each trusted key is only linked to a
>   particular project.
>   It would say if the project and/or leader is unknown.
>
>References
>
>   1. mailto:drak@zikula•org

>------------------------------------------------------------------------------
>Rapidly troubleshoot problems before they affect your business. Most IT
>organizations don't have a clear picture of how application performance
>affects their revenue. With AppDynamics, you get 100% visibility into your
>Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
>http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

>_______________________________________________
>Bitcoin-development mailing list
>Bitcoin-development@lists•sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/bitcoin-development

next prev parent reply	other threads:[~2014-01-03 13:09 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-12-08  1:17 Saïvann Carignan
2013-12-08  3:38 ` Odinn Cyberguerrilla
2013-12-08  9:03   ` Saïvann Carignan
2013-12-08 12:37     ` Luke-Jr
2013-12-08 19:16       ` Drak
2013-12-08 19:25         ` Gregory Maxwell
2013-12-08 20:28           ` Mike Hearn
2013-12-08 20:40             ` Gregory Maxwell
2013-12-08 20:51               ` Drak
2013-12-08 21:01                 ` Luke-Jr
2013-12-08 21:11                   ` Drak
2013-12-08 23:51                     ` theymos
2013-12-09  0:06                       ` Taylor Gerring
2013-12-09  6:29                       ` Jeremy Spilman
2013-12-09 10:54                       ` Roy Badami
2013-12-10  9:18                       ` Odinn Cyberguerrilla
2013-12-08 21:09                 ` Gregory Maxwell
2013-12-08 21:16             ` Saïvann Carignan
2013-12-08 21:58               ` Roy Badami
2013-12-08 23:03                 ` Mike Hearn
2013-12-09  5:32                   ` Jeff Garzik
2013-12-08 22:44               ` Gavin Andresen
2013-12-08 23:48                 ` Saïvann Carignan
2013-12-08 23:18               ` Luke-Jr
2013-12-08 23:29               ` Patrick
2013-12-08 21:46             ` Mark Friedenbach
2013-12-08 20:40           ` Drak
2013-12-08 20:50             ` Gregory Maxwell
2013-12-08 21:07               ` Drak
2013-12-08 21:14                 ` Gregory Maxwell
2013-12-08 22:27                   ` Robert McKay
2013-12-12 20:51           ` Adam Back
2013-12-31 13:39             ` Drak
2013-12-31 13:48               ` Gregory Maxwell
2013-12-31 13:59                 ` Mike Hearn
2013-12-31 14:18                   ` Gregory Maxwell
2013-12-31 14:23                     ` Mike Hearn
2013-12-31 21:25                       ` Jeremy Spilman
2013-12-31 21:33                         ` Matt Corallo
2014-01-01 10:02                           ` Jeremy Spilman
2014-01-01 11:37                             ` Wladimir
2014-01-01 15:10                         ` Mike Hearn
2014-01-01 22:15                       ` Mike Hearn
2014-01-02 19:49                   ` Jorge Timón
2013-12-31 14:05                 ` Benjamin Cordes
2014-01-03  5:45                 ` Troy Benjegerdes
2014-01-03  9:59                   ` Drak
2014-01-03 11:22                     ` Tier Nolan
2014-01-03 13:09                       ` Adam Back [this message]
2014-01-03 17:38                     ` Troy Benjegerdes
2014-01-03 18:21                       ` Jorge Timón
2014-01-04  1:43                         ` Troy Benjegerdes
2013-12-08 10:00   ` Drak
2013-12-08 12:39     ` Luke-Jr
2013-12-08 16:51     ` Gregory Maxwell
2013-12-08 16:08 ` Wladimir

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140103130911.GA12653@netbook.cypherspace.org \
    --to=adam@cypherspace$(echo .)org \
    --cc=bitcoin-development@lists$(echo .)sourceforge.net \
    --cc=tier.nolan@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox