Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1V6yUJ-0003oy-Oi for bitcoin-development@lists.sourceforge.net; Wed, 07 Aug 2013 07:48:57 +0000 X-ACL-Warn: Received: from mail-we0-f174.google.com ([74.125.82.174]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1V6yUH-0003zm-Tn for bitcoin-development@lists.sourceforge.net; Wed, 07 Aug 2013 07:48:55 +0000 Received: by mail-we0-f174.google.com with SMTP id q54so1245266wes.33 for ; Wed, 07 Aug 2013 00:48:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:sender:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=lSskHxaI+eRZX1u/KgQDHIgs8JZqFbJAvOOGX/+tYwg=; b=VgekmfNf9Quvnvrk1rDrq2rRBEmU/YUmIkCeHjrmRCDxwYFniQhOUpQiEIeGko7d/k 08XO8PbvZJJxcS1dtIpLwqL09eMSN2FrEJl+gOR/xJ/Or2i2O3Rkyzevc+bXG9ikG3A1 V+zKaPySgnjuPMI8MdDa+acDibhUQfb9osl3YLDdSScwR6P6LIVhrcy9h2yj8kzlK/ee rgLNTvFdrOmA6a9qrwD9Q8lk3EPCK/FyeqclLNQgTZqcobP2+zUVO2QjKCmw10NLZwbR bfgaiIIXPS3IVzbj1wpDVdI9X0gYvGG9zTqZEBmd/E1fLwNSKou1CHeBiwDRm5HNmbgb P3gQ== X-Gm-Message-State: ALoCoQmLq6/1qGLantnEgV+p1kLmn3kHbh79qhjLfjjV+xdh9K01kUo+DpJMCBAqMQnq53SQar/t X-Received: by 10.194.9.229 with SMTP id d5mr1287897wjb.66.1375861727632; Wed, 07 Aug 2013 00:48:47 -0700 (PDT) Received: from [127.0.0.1] ([82.221.102.245]) by mx.google.com with ESMTPSA id bt8sm7176336wib.8.2013.08.07.00.48.43 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 07 Aug 2013 00:48:46 -0700 (PDT) Sender: w grabhive Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: multipart/signed; boundary="Apple-Mail=_AFADAF3D-909B-40DD-B7E5-5F017BEC76EE"; protocol="application/pgp-signature"; micalg=pgp-sha1 From: Wendell In-Reply-To: <09169cb2-cc59-4261-84e9-0769ec72af6b@email.android.com> Date: Wed, 7 Aug 2013 06:32:08 +0200 Message-Id: <4E4E5921-E8BF-4274-A062-EF1FBC331C95@grabhive.com> References: <51FFCA9A.6010208@gmail.com> <51FFD722.5090403@gmail.com> <09169cb2-cc59-4261-84e9-0769ec72af6b@email.android.com> To: Peter Todd X-Mailer: Apple Mail (2.1283) X-Spam-Score: 4.4 (++++) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.5 RCVD_IN_PSBL RBL: Received via a relay in PSBL [82.221.102.245 listed in psbl.surriel.com] 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server [82.221.102.245 listed in dnsbl.sorbs.net] 1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] X-Headers-End: 1V6yUH-0003zm-Tn Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Safe auto-updating X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Aug 2013 07:48:57 -0000 --Apple-Mail=_AFADAF3D-909B-40DD-B7E5-5F017BEC76EE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii That multisignature/blockchain commitment idea seems really solid, = Peter. Thanks very much indeed everyone, this is all very helpful. Much to = research and think about. Interestingly, a thread is presently raging on liberationtech about Tor = Browser Bundle, and the subject of automatic updates has come up. = Gregory Maxwell responded thusly (cross-posting for completeness): > _please_ don't deploy automatic updates in a sensitive environment > like this without at least quorum signatures (like gitian downloader) > and timed quarantine with negative signatures (harder to make strong > absent a jamming proof network). -wendell grabhive.com | twitter.com/grabhive | gpg: 6C0C9411 On Aug 5, 2013, at 7:49 PM, Peter Todd wrote: > Gregory Maxwell had some good ideas along these lines at the san jose = conference. Extending gitian with these kinds of features would be a = good approach. >=20 > But I think its worth thinking about attack models. A huge danger with = auto-updating is that it is easy to target individuals; if I leave = auto-updates on I am essentially trusting the developers capable of = signing an update not to specifically try to attack me in the future, a = much more risky thing to do than simply trusting them not to release a = malicious release. >=20 > Sure you can try to implement anonymous downloads and similar = mechanisms, but they all tend to be fragile with regard to = deanonymization attacks. >=20 > A better way is to ensure that the act of making a release available = for download must be public, even if you can control what binaries are = made available to a particular target. You can do this by putting a = commitment in the blockchain itself. Each person on the signing list = creates a transaction with a special form from a specific pubkey that = commits to the digest of the binaries, and the auto-update code refuses = to update unless it sees that special transaction with a sufficient = number of confirmations. The developers now can't make a special release = for a specific target without letting the world know they did so, even = under coercion. >=20 > They developers could of course still make a release with code inside = targeting a specific individual, but in theory at least the public can = check if their builds are reproducible, and start asking questions why = not? --Apple-Mail=_AFADAF3D-909B-40DD-B7E5-5F017BEC76EE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) iQIcBAEBAgAGBQJSAc3IAAoJECAN2ykHU5Y6vdkP/ir6wYcnnq2zDq8asRIe09Qd vKYlx/zB7hXo/scdcJ1OQV126I1ts17io6TuoNB+r34DbYeMo9T20bGJd/ywUQ9w vRoKSW5hql75ZPOdq5DtBjVGWVms6q1vTHvOYxhW85mlp77NP0dpkuRWYnzGqSXV P0MzeWL07PZ3RskpbAs7XoCYzURw7shwJyYCqkhHCb0mXv4FzpoxC0UwMSMI7SkI NKJcVbAp6xcZgsCbGxV6acBUTO/dB5h7UuLEzsRT6pD1O/Dvi3ODp6n5hMMv8MMp LVJNAeBcMS870D5sE87ZVBepjIWYxFLF0joNMPhJl9q5pTjKnedttPssxnCZv+Cy F7sqJsb9p0lLrLw1fKDuUx4PBmkd3/aVK1zOPfrArzC7x7pWFVqQAo8PHXpRhusr eA/2aS0upsWFxxz1k1s6iYop95I+OHGHB/C7NaX2/3oPv9hHv0F2qQgTLF1HCRGU iZSFQDZonaaA5cMtCPhXkhqMRLefjE2KT27L72eTmEV1qTUeOY6KseoOBNW90IKj +d/yQ9H8DwRxWld10Dn7nHKLidxfsguDi5/FwGLlVhzrv0+15jEhZ8Tu0Rors24T 0D76YWSO9HcP/8RQX8d10ypjQNDCDHO46mFGR5tP9Muw9L591iji4z+QYAMOq/Uo WWLd4BnNM33OZu5r3JT4 =ycn/ -----END PGP SIGNATURE----- --Apple-Mail=_AFADAF3D-909B-40DD-B7E5-5F017BEC76EE--