[-] max@nano.garden 4 points 1 year ago

No, I'm not concerned about a lawsuit. It's something that I want to do because I think that it is important. If I want to share tools with non-tech savvy people who are unable to build them from source, I want to be able to share these without anyone needing to "trust" me. The reproducible builds standards are a very nice idea, and I will learn how to implement them.

But I still wonder whether my approach is valid or not - is printing the hash of the output executable during Github's build process, such that it is visible in the workflow logs, very strong evidence that the executable in the release with the same hash was built by github through the transparent build process? Or is there a way a regular user would be able to fake these logs?

[-] max@nano.garden 5 points 1 year ago* (last edited 1 year ago)

Ooh, I think I found the paper!

Oof:

The actual bug I planted in the compiler would match code in the UNIX "login" command. The re- placement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user

[-] max@nano.garden 9 points 1 year ago

My new phone runs GrapheneOS and I love it.

One recommendation that I would give people is that it does not need to be an all-or-nothing jump into the abyss. It can be a bit disheartening when you try to get rid of all the privacy-invasive things in your life and you get cut off from your family and friends.

After some failed attempts, the strategy that I have found more successful is that I have new phone that I installed GrapheneOS into, and I keep the older phone with whatsapp. The older phone is in Airplane mode connected to WiFi at my home. It is effectively a landline. I can still use it once or twice a day to check on my family through WhatsApp without having to broadcast my location all day to Meta. This way I don't need to install any sandboxed Google Play services into my new phone. The old phone is the sandboxed Google Play. I also use the old phone for verifications, 2FA, and any other things that I don't want to contaminate my new phone with.

Over time I am finding that my GrapheneOS is perfectly functional. The main difficulty is the chats services that are used by my family, friends, and work-related "group chats". I have convinced some people to join my XMPP server, including my mom (wuhuu), but it is an uphill battle. That's why the other phone is still essential for me.

[-] max@nano.garden 5 points 1 year ago* (last edited 1 year ago)

I think that any step that facilitates verifying the build is great. If trust is required, then I should simply not release any executables if I want to remain anonymous. I would like to be able to release executables without needing to ask people to blindly trust me. I would like to be able to show them reasonably good evidence that the program is built from the source that I say it is.

[-] max@nano.garden 8 points 1 year ago

If I understand this correctly, signify would allow someone to verify that the executable was built by me. But then they would still have to trust me, because I can also sign the malicious executable.

76
submitted 1 year ago by max@nano.garden to c/opensource@lemmy.ml

I have forked a project's source code on GitHub. The program takes a private key as an input and that key must never leave the client. If I want to share a pre-built executable as a release it is essential that I can prove beyond reasonable doubt that it is built from the published source.

I have learned about how to publish the releases by using a Workflow in the GitHub actions such that GitHub itself will build the project and then repare a release draft with the built files as well as the file hashes..

However, I noticed that the release is first drafted, and at that point I have the option to manually swap the executable and the hashes. As far as I can tell, a user will not be able to tell if I swapped a file and its corresponding hashes. Or, is there a way to tell?

One potential solution that I have found is that I can pipe the output of the hashing both to a file that is stored and also to the publicly visible logs by using "tee". This will make it such that someone can look through the logs of the build process and confirm that the hashes match the hashes published in the release.

Like this:

I would like to know whether:

  • There is already some built-in method to confirm that a file is the product of a GitHub workflow

  • The Github Action logs can easily be tampered by the repo owner, and the hashes in the logs can be swapped, such that my approach is still not good enough evidence

  • If there is another, perhaps more standard method, to prove that the executable is built from a specific source code.

[-] max@nano.garden 28 points 1 year ago

Finally. Someone noticed 🥹

[-] max@nano.garden 5 points 1 year ago

The creator of the tool is the admin of lemmings.world, and the tool is hosted at schedule.lemmings.world. So, if you have a user at lemmings.world, you can use this tool without having to trust a third-party.

If you don't have a user there, you can create a user in that instance for the purpose of creating scheduled posts. Removing the need to trust two parties rather than one.

And, of course, since the source code is open anyone else can attach this to their own instance! Pretty cool.

[-] max@nano.garden 21 points 1 year ago
[-] max@nano.garden 18 points 1 year ago

Aah, ok! That at least explains what they could have been thinking.

But, of course, this is a terrible idea!!

[-] max@nano.garden 41 points 1 year ago

Both sides? "Oh yeah, the front looks a lot like the ID I lost, but can you please send me the back side too so that I can confirm?"

[-] max@nano.garden 4 points 1 year ago

You have a good reason to be proud. It's awesome!

[-] max@nano.garden 13 points 1 year ago

Funny thing is that those of who left aren't there anymore to comment that we did leave... So anyone who is still there is probably looking at the others who stayed and saying "See?! The protest didn't work because we are still here!"

view more: next ›

max

joined 1 year ago