The Bootstrapping Exam: Escaping from “Trusting Trust”
(www.devever.net)
from cypherpunks@lemmy.ml to security@lemmy.ml on 10 Apr 2024 14:18
https://lemmy.ml/post/14286114
from cypherpunks@lemmy.ml to security@lemmy.ml on 10 Apr 2024 14:18
https://lemmy.ml/post/14286114
#security
threaded - newest
The author’s own solution is not even sufficient to meet their own criteria:
The source code to these programs was obtained through requirement (2):
This code does not specify that it has been signed or has had its authenticity verified. Only code received digitally through requirement (3) is cryptographically verified:
So already at the start of the process, the author is using tools to bootstrap the system which could contain backdoors.
I would change the requirements so that source code printouts are already verified by the person supplying them, or that the solver has to write their own bootstrap tools to get to the point of being able to verify cryptographic hashes/signatures before they can even use any third party source code.