I don't really get it, how can I possibly protect others when the binaries I serve can potentially be malicious and I can potentially have malicious intentions ?
Should I post checksums ? Doesn't work :
- if I have malicious intentions the checksums will match the malicious binaries.
- if the binaries get changed without me knowing it means that the server got compromised, the checksums shouldn't then be trusted either
- if I post a link to SF, that won't help since some users won't be able to access it and it also could be compromised
Let's face it, if you're truly paranoid, you read the source and then you compile it. Oh wait, you'd need to compile gcc too
If you have better ideas than the couple I exposed I'm open. But I'd rather give no checksums than a false sense of security.
Should I post checksums ? Doesn't work :
- if I have malicious intentions the checksums will match the malicious binaries.
- if the binaries get changed without me knowing it means that the server got compromised, the checksums shouldn't then be trusted either
- if I post a link to SF, that won't help since some users won't be able to access it and it also could be compromised
Let's face it, if you're truly paranoid, you read the source and then you compile it. Oh wait, you'd need to compile gcc too
If you have better ideas than the couple I exposed I'm open. But I'd rather give no checksums than a false sense of security.
Actually I do compile gcc, but not for security reasons, lol.
And you are right about it being better to provide no checkfiles then provide a false sense of security.
What you could do is also mirror http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.24/SHA1SUMS.asc/download and provide a link to http://bitcoin.org/jgarzik-exmulti.asc which an earlier post said is the right signature to verify. Now you have not only provided a way to check your mirrored files, but that no one has changed the sf ones since you mirrored them.
The idea is that you would have Jeff's PGP already, and not simply download it whenever you are checking a new binary. When you get the key for the first time, as with all PGP public keys, you should not trust its validity until you are convinced it is correct. You make this decision based on several factors such as where you obtained the key, what other sources agree that this key is legitimate, the PGP web-of-trust, etc.
Jeff's key could use more signatures. Somebody make him attend a keysigning party.