Author: Adam Back 2013-05-07 11:07:40
Published on: 2013-05-07T11:07:40+00:00
The email conversation between Mike Hearn and Adam discusses the trustworthiness of Bitcoin binaries and ways to get assurance of their source. The website redesign hiding the signatures is discussed, with the suggestion that PGP signatures can be checked using the WoT. Some developers have their keys in a PGP Global Trust Register, which could provide a level of trust for those who take PGP WoT seriously. SSL-enabled websites can be trusted to send binaries securely up to the limit of CA security's weakest link. Threshold RSA library is theoretically capable of splitting RSA keys used to protect updates, which Andreas may be open to doing to require a quorum of developers to release an update. Linux was identified as having the worst situation due to man-in-the-middle attacks by package maintainers being common and actively encouraged, though there is currently no warning on the Bitcoin website. Multiple people signing the release and asserting that they see nothing malicious could help provide assurance of the source, even if one or more signers were pseudonymous.
Updated on: 2023-06-06T16:16:21.978367+00:00