[Box Backup] Latest Boxi Win32 binary available for download
Achim
boxbackup@boxbackup.org
Mon, 03 Aug 2009 23:21:22 +0200
Hello Peter:
On Mon, 3 Aug 2009 15:12:26 -0400, "Peter Jalajas, GigaLock Backup
Services"
<pjalajas@gigalock.com> wrote:
> Thank you so much for your time, effort, and talent in working with
> Chris on Box Backup and Boxi! I think I speak for many users that we
> truly appreciate your efforts.
Thanks. Box Backup and Boxi are certainly "unsung heroes", and pushing Boxi
a bit further might lead to a whole new class of user interest!
> I've worked with Chris on Box Backup for years and have developed a
> trust in his Windows binaries. But since you're so new to the
> project, I need to figure out a way to quickly gain that trust in
> _your_ binaries. Sorry, no disrespect intended, of course, and I
> have absolutely no reason to _not_ trust you, but I'm just being
> paranoid with respect to my customers' data. I hope you understand.
I absolutely understand. For our clients at Qustodium, I would expect
nothing less. Together with Andy Grove (ex-Intel CEO) we are in good
company: "Only the paranoid survive".
> I'm thinking something along the line of building something like a
> GnuPG web-of-trust around you, and then having you digitally sign your
> releases in some way. Does that make sense? Overkill? Suggestions
> welcome! Let's start with LinkedIn--is this you?:
> http://www.linkedin.com/pub/achim-j-latz/0/209/828
Yep, thanks for the public service announcement: c'est moi.
About the GnuPG web of trust: I understand what you are saying, and I
already have some public GPG keys floating around somewhere. However, I
think technology can barely solve this trust issue.
Imagine the following scenario: I build the lastest Boxi v1.0 (can't be too
long away, right? ;) as a public service. I then sign the resulting binary
either directly or sign the resulting MD5 or whatever secure hash function
you would like. One problem remains: how do you know that I did not add a
backdoor into Boxi or Box Backup?
You can certainly establish that I am the source of the build, but you
still would have to find the backdoor.
On the other hand, the process I outlined for building Boxi is pretty
straightforward (not to say: "Copy & Paste"), so building your own binaries
is perhaps the ideal solution to this trust issue?
Let me know what you think: I am happy to sign the binaries, if that is
what is needed for a bigger Boxi audience.
Best regards, Achim