Linked by davidiwharper on Tue 14th Jan 2014 09:03 UTC
Mozilla & Gecko clones

Mozilla plans to establish an automated process which would verify that binaries contain only the code found in the official source repositories, and not spyware secretly added during the build process at the behest of government intelligence agencies. In a blog post entitled Trust but Verify, CTO Brendan Eich and R&D VP Andreas Gal note that governments "may force service operators [such as Mozilla] to enable surveillance (something that seems to have happened in the Lavabit case)" and pledge to develop systems which will make Firefox resistant to this form of tampering.

Permalink for comment 580652
To read all comments associated with this story, please click here.
Commendable, but possiblly flawed
by flypig on Tue 14th Jan 2014 10:36 UTC
flypig
Member since:
2005-07-13

Even if this whole idea sounds paranoid (the threshold for paranoia seems to have moved since June last year!), it looks to me like a very commendable effort. Unless I've misunderstood, it won't offer any more assurance than compiling the code yourself, but that's more than most of us get now.

However, they'll need to take real care to avoid it being false reassurance. It's great that the blog post cites Ken Thompson's seminal Turing Award Lecture, but what's proposed won't tackle this. The whole point of the lecture was that checking the full source (of both the program *and* the compiler being used) isn't enough to guarantee there are no back doors.

It's a really interesting idea anyway, especially if they actually implement it. If they can get it right, so that end-users can have justified trust, it'll be impressive.

Edited 2014-01-14 10:39 UTC

Reply Score: 6