Re: TrueCrypt

To: debian-knoppix@lists.debian.org
Subject: Re: TrueCrypt
From: cedar <cedar@3web.net>
Date: Thu, 04 Jan 2007 10:26:11 -0800
Message-id: <459D46C3.6060808@3web.net>
In-reply-to: <20070104152209.GZ28980@knopper.net>
References: <200701011514.09474.gilpel@altern.org> <eefbdb720701020818o5112862er4a47f285c1907be3@mail.gmail.com> <20070102203009.GW2814@knopper.net> <20070103094213.GS28980@knopper.net> <eefbdb720701030755v7079e313tb8092ea448ac909b@mail.gmail.com> <20070103170436.GX28980@knopper.net> <459C8A92.6020906@3web.net> <20070104152209.GZ28980@knopper.net>

Martin Oehler wrote:
> I think this could become a very interesting discussion. 
Hm...!

Hi Martin,

There is no way to prove that any piece of cryptographic algorithm
code implementation - let alone a complete data protection package with
tens of thousands of lines of code - does not contain a single fault
that has, potentially, catastrophic consequences for the user. (And in
this context, "catastrophic" can be orders of magnitude worse than a
system that fails to boot :).

Discussing why a package like TrueCrypt has reached a level of trust that
its alternatives have not reached is not what this is about: the fact
is that people who have serious data protection requirements trust TC
more than any of the alternatives. I, personally, would never criticise
a Linux distribution for some arcane bug (see above, CA vs., CF keyboard
problem, previously working and then suddenly appearing in 5.x...) because
I have a reasonable idea of what distro packaging process looks like,
and because I know how utterly impossible it is to test all code
inter-dependencies between the kernel and packages, and (worse!) between
the application packages. This is exactly why I, for one, prefer a
crypto application that does not depend on kernel crypto implementations,
and a package developed by a small number of developers, with few - if
any - dependencies on some component that might change from one release
to another.

But let me stop here. Those that have reached their decision of what to
trust and what not to trust will not have their opinion changed by the
banter on this list. And if I was deciding which applications to include
and which not to include in Knoppix, I would make such decision purely
on the utility of what I am putting together, to the greatest number of
serious users of my product, and not on what I believe they ought or
ought not to be using. Finally, TC Linux is an extremely compact and
isolated command-line application, and it in no way interferes with the
inclusion and/or use of its alternatives.

With all that said, there might be some licensing problems to resolve.
If Klaus a-priory rejects anything that is non-GPL for ideological
reasons, (as he has every right to do!) that is that, and any further
discussion is a waste of bandwidth (...Klaus?). Alternatively, I'm
confident that some modest back and forth with TC foundation can resolve
the issue. After all, it should be of considerable interest to the TC
developers to have the TC Linux included in Knoppix.

I. Cedar

Reply to:

References:
- A few comments about Knoppix 5.1
  - From: gilpel@altern.org
- Re: A few comments about Knoppix 5.1
  - From: "Peter Pauly" <ppauly@gmail.com>
- Re: A few comments about Knoppix 5.1
  - From: Klaus Knopper <debian-knoppix@knopper.net>
- Re: A few comments about Knoppix 5.1
  - From: Martin Oehler <oehler@knopper.net>
- Re: A few comments about Knoppix 5.1
  - From: "Peter Pauly" <ppauly@gmail.com>
- Re: A few comments about Knoppix 5.1
  - From: Martin Oehler <oehler@knopper.net>
- TrueCrypt (was: A few comments about Knoppix 5.1)
  - From: cedar <cedar@3web.net>
- Re: TrueCrypt (was: A few comments about Knoppix 5.1)
  - From: Martin Oehler <oehler@knopper.net>

Prev by Date: Re: TrueCrypt (was: A few comments about Knoppix 5.1)
Next by Date: Re: A few comments about Knoppix 5.1
Previous by thread: Re: TrueCrypt (was: A few comments about Knoppix 5.1)
Next by thread: Re: A few comments about Knoppix 5.1
Index(es):
- Date
- Thread