Re: Compromising Debian Repositories

[kloschi <kloschi@subsignal.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Probably parts of the answer lie in deterministic builds, see below.

hth.

best,
kloschi


- -------- Original Message --------
Subject: [liberationtech] Deterministic Builds Part One: Cyberwar and
Global Compromise
Date: Thu, 22 Aug 2013 10:39:56 +0000
From: Jacob Appelbaum <jacob@appelbaum.net>
Reply-To: liberationtech <liberationtech@lists.stanford.edu>
To: liberationtech@lists.stanford.edu <liberationtech@lists.stanford.edu>

Hi,

I think a lot of people would benefit from reading Mike Perry's latest
blog post. He addresses how The Tor Project is working towards the
problems referenced by Zooko in his latest open letter to Silent Circle:


https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise

"Current popular software development practices simply cannot survive
targeted attacks of the scale and scope that we are seeing today. "

All the best,
Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQGcBAEBAgAGBQJSFhqmAAoJEJhnRHRRn9Syw2YMAKMYOKtIPxrwUrnTF4yI06lM
fJI6+xTzH1BRcwzEW7E4crQtRGFJVe5aXe+kpvDBdrJ6rPj3wki3N7BrMw2Fj9JO
l8iN11oSEXyidLHIyl8oc0HqGyBe2HXm+N1DVC1P2lOSZvBQ5Hbqa1yNrblK3lBK
F9Rc23XvbHaeg4Te5Rvda+8crFSZjbN5Iqn7zFiXkIKlM+Zse7f0HNVB8rIM17cl
bC+a+l/unkCDiG52HaOTXI6dw8pCfQkeYDzuIFKy9qCdFl7B1DlZSMqeInupjMhp
GiqklzG5kLKJFYqWiByDSNTY4A+YfFx+PheCe3V5c0k6qDrmEh+WdGaL3E6ibF8D
3niRplhFhQjz68yVO4+R+BxvTeqwVj+FYaIIPnIIUirJYtQxQYFcEVGn4GGjDE2j
2ngMl1mgIz3YI4mCJuR5dFGJf3e5cy+ZadvjtyRzGxLj1SMIZVT6HNHIdGxDaW4O
dCVcR03xYwOilBkA2wh00BYquiyAMl5AsQHmGKMg/Q==
=LiRi
-----END PGP SIGNATURE-----