Author: Wendell 2013-08-07 04:32:08
Published on: 2013-08-07T04:32:08+00:00
Peter Todd suggests using a commitment in the blockchain to ensure that the act of making a release available for download is public, even if developers can control what binaries are made available to a particular target. Each person on the signing list creates a transaction with a special form from a specific pubkey that commits to the digest of the binaries. The auto-update code refuses to update unless it sees that special transaction with a sufficient number of confirmations. Developers will not be able to make a special release for a specific target without letting the world know they did so. Peter Todd also highlights that auto-updating is risky because it is easy to target individuals and suggests extending gitian with quorum signatures and timed quarantine with negative signatures. Gregory Maxwell responded to the subject of automatic updates on liberationtech about Tor Browser Bundle.
Updated on: 2023-06-07T15:23:22.128636+00:00