verifiable source-only bootstrap from scratch

ahojlm at 0w.se ahojlm at 0w.se
Fri Mar 10 07:58:28 UTC 2023


Hello Vagrant,

On Thu, Mar 09, 2023 at 02:34:30PM -0800, Vagrant Cascadian wrote:
> > [1] the site is available through the Tor/onion network
> > (for the advantages of convenient and privacy-friendly hosting) at
> > http://rbzfp7h25zcnmxu4wnxhespe64addpopah5ckfpdfyy4qetpziitp5qd.onion/
> 
> Is there a URL other than via tor .onion network to read up on what this
> project is actually doing?

Thanks for the question, but for reasons mentioned below the answer is no.

> While I applaud and support the use of tor, exclusively using tor is a
> bit of a surprise and seems to severely limit the scope of people who
> will even read about it at all.

I assume that most of the people who are concerned about
reproducible builds have solid technical expertise.
Tor browsing should not constitute a noticeable hinder.

Moreover, the fundamental property of the proposed solution (of
verifiability) is the existence of multiple copies of the published
information, so that the validity of the checksums can be verified by
consensus, without any dependency on some single party's identity /
public key / similar.

Many eyes have to read the scripts and patches and many hands to use
them, independently from each other. Only then we will know for sure
that a certain instance of the binary disk image

1. is not source/script-poisoned by yours truly
2. corresponds to the published sources
3. does not correspond to someone's poisoned alternative version
   presented as the legitimate one
(these are all different properties, but all of them depend on diversity
and consensus)

In that way it makes very little difference whether one of the instances
is exclusively available through Tor.

[The rest of this message is off topic for the list,
sorry for that, but relevant for a proper answer]

The reasons for choosing a Tor hosting are

- security
- independence from any DNS services
- no need of any "certification" services
- ease of setup

Glad to hear that you share the respect for Tor.

I see it as a bonus when my practical choice helps to make Tor more
visible.

The "non-tor" web browsing is problematic for security because of its
pki and at the same time it is terribly privacy-unfriendly.

I do not feel motivated to contribute to perpetuation of use of inferior
technologies, especially when this would imply an extra effort of mine.

> live well,
>   vagrant

You too,
 an



More information about the rb-general mailing list