Bounty! $ 3.000 USD – Build Debian Packages from Source Code

Short:

Ticket updated, shortened discussion here:
https://github.com/Whonix/Whonix/issues/400

On bountysource.com showing the $ 3000 USD bounty (with old lengthy discussion):
https://www.bountysource.com/issues/9115540-build-debian-packages-from-source-code

Long:

The old discussion got too lengthy. Since no one was working on the ticket… I restarted the discussion. Meaning, I created a backup of the old discussion using webcitation, went through all the existing discussion, summarized it, and answered all questions and confusion in the initial ticket description before they come up again, and deleted all comments. That should help everyone interested working on the ticket understand what it’s about and save time by skipping reading and parsing the lengthy previous discussion.

Shortened discussion here:
https://github.com/Whonix/Whonix/issues/400

On bountysource.com showing the $ 3000 USD bounty (with old lengthy discussion):
https://www.bountysource.com/issues/9115540-build-debian-packages-from-source-code

Somehow old comments are not deleted from bountysource. But that is not a problem. Just refer to bountysource when it’s about money and to github when it’s about technical discussion.

Patrick Schleizer on sabbloggerPatrick Schleizer on sabemailPatrick Schleizer on sabfacebookPatrick Schleizer on sabgithubPatrick Schleizer on sabtwitter
Patrick Schleizer
Developer and maintainer at Whonix
Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in Contribute, Whonix Development News

Notable Replies

  1. burner1024 says:

    Following up on https://github.com/Whonix/Whonix/issues/400.

    In meanwhile if users can build Whonix from source code and compile as
    many packages from source code themselves (while a small binary
    bootstrap package was would still be required), the chance of backdoors
    can be reduced to fewer packages.

    The thing is, the users would get source packages from the same servers. If binary packages are untrusted, then so should be the source ones. So unless users actually review the source code, the chance is the same. Is that what would be expected of them?

    BTW, that webcitation site is down, apparently.

  2. Patrick says:

    The thing is, the users would get source packages from the same
    servers. If binary packages are untrusted, then so should be the
    source ones. So unless users actually review the source code, the
    chance is the same. Is that what would be expected of them?

    It is much more risky to maliciously alter the source code than
    maliciously adding something into a binary. The sources have a
    deterministic check sum. Binary packages not yet. A maliciously altered
    source code would much more easily randomly spot by something than in
    binary. Also binary packages are build on different servers. Some stand
    in some debian developers home and are therefore an easier target.

  3. burner1024 says:

    Sorry, but that doesn't really answer my question. In this model, are users supposed to review the source code themselves, or are they not?

  4. burner1024 says:

    Then who is?

  5. burner1024 says:

    All right... I don't see how would that provide better security, but it's your call.

    On another note - what if Debian just doesn't want this, and won't merge?

Continue the discussion forums.whonix.org

3 more replies

Participants