[Box Backup] Help installing client on Mac OS X

James O'Gorman boxbackup@fluffy.co.uk
Tue, 9 Oct 2007 07:41:05 +0100

On Mon, Oct 08, 2007 at 02:10:06PM -0700, Peter Jalajas, TebucoSafe Backups wrote:
> So implementing a strategy of security as a risk-management onion, and knowing that nothing is
> ever perfectly secure, the Box Backup project could/should take reasonably aggressive measures to
> use the available convenient processes that help ensure (assure?) the security of the source code
> and binaries.  Maybe you all do already, and I just haven't bother to track it all down.  

Apart from anything, I have the Box Backup sources stored within Box
Backup :-) The entire svn and trac data is part of my Box store, so I'd
say that's pretty safe. If, god forbid, this server was compromised, we
have fully-encrypted backups. I think Ben takes offsite backups too.

> So, yes, having widely disseminated sha1sums of everything goes a very long way towards that end
> with very little pain, I think.  Signatures go yet again a bit further, but with a little more
> pain.  (Insert other heavier lifting here.)  You hosting a keysigning party in Cambs is probably
> too aggressive and inconvenient, providing too little bang for the buck, as we say here.  ;^)
> In a previous life as a Release Engineering manager for an enterprise security product, I appended
> to our software build process an immediate automatic wide-dissemination of md5sums (md5 was state
> of the art then, as I believe sha1 is now) of all individual source files, binaries, tarballs,

Most people/projects are skipping SHA-1 and using SHA-256 now. (FreeBSD
used to just do md5sums of third-party distfiles in ports, now it does
md5sum and sha256.)