[tahoe-dev] Live Distribution with compiled Tahoe-Lafs

Zooko O'Whielacronx zooko at zooko.com
Thu Dec 8 19:47:30 UTC 2011


Hello again, Renat.

I believe we have exchanged messages before on this mailing list about
your OpenSuse-based Live CD.

I've just added your OpenSuse-based Live CD to this page:
https://tahoe-lafs.org/trac/tahoe-lafs/wiki/OSPackages . Feel free to
update that row.

One concern I have about Live CDs, and indeed about *all* packages of
Tahoe-LAFS, is if the end user would be able to verify exactly what
software they were running and if there was a backdoor or security
flaw in it.

I see that susestudio.com has a declaration on it:

http://susestudio.com/a/FOqCQ8/tahoe-lafs-renats-suse-121

It says:

Security summary

[✓] Only official software sources are included.
[✓] No custom software packages were uploaded.
[ ] Overlay files were uploaded, but none are executable.
[✓] No custom scripts were enabled.

That's a nice step to display that information, but what if that
statement is wrong? What if the resulting Live CD actually has a
backdoor installed on it? How could the user detect that?

This isn't a problem specific to Renat's Live CD. Every packaging of
Tahoe-LAFS shown on
http://tahoe-lafs.org/trac/tahoe-lafs/wiki/OSPackages should be
critically considered with the same question in mind. Those operating
systems use various techniques in the attempt to let people audit or
verify their contents.

Regards,

Zooko


More information about the tahoe-dev mailing list