Hi There,
AK wrote:
Sorry forgot to answer your first question.
The sources are mostly taken from already quite trusted sources and
can be verified by PGP signatures. You can also read the sources and
since they get compiled on your computer, you know that what you read
is what you get. Also, other people can read the sources and give
reviews and you will know that those reviews actually correspond to
what is running on your system.
Sorry - not trying to be too critical here, but them sounds like weasel
words - 'mostly taken' and 'can be'. Without having *all* source
verified by cryptographic signatures or otherwise, you're probably
increasing the chances of rogue code running, rather than mitigating it
with binaries.
Reviews take too long - by the time a 'negative' review is out - it's
too late, there will be systems that are running compromised code.
My first suggestion - all source / binaries being cryptographically
verified.
P.
_______________________________________________
tor-talk mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
