[Box Backup] Latest Boxi Win32 binary available for download

Achim boxbackup@boxbackup.org
Mon, 03 Aug 2009 23:21:22 +0200

Hello Peter:

On Mon, 3 Aug 2009 15:12:26 -0400, "Peter Jalajas, GigaLock Backup
<pjalajas@gigalock.com> wrote:
> Thank you so much for your time, effort, and talent in working with
> Chris on Box Backup and Boxi!  I think I speak for many users that we
> truly appreciate your efforts.

Thanks. Box Backup and Boxi are certainly "unsung heroes", and pushing Boxi
a bit further might lead to a whole new class of user interest!

> I've worked with Chris on Box Backup for years and have developed a
> trust in his Windows binaries.   But since you're so new to the
> project, I need to figure out a way to quickly gain that trust in
> _your_ binaries.  Sorry, no disrespect intended, of course,  and I
> have absolutely no reason to _not_ trust you, but I'm just being
> paranoid with respect to my customers' data.  I hope you understand.

I absolutely understand. For our clients at Qustodium, I would expect
nothing less. Together with Andy Grove (ex-Intel CEO) we are in good
company: "Only the paranoid survive".

> I'm thinking something along the line of building something like a
> GnuPG web-of-trust around you, and then having you digitally sign your
> releases in some way.  Does that make sense?  Overkill?  Suggestions
> welcome!   Let's start with LinkedIn--is this you?:
> http://www.linkedin.com/pub/achim-j-latz/0/209/828

Yep, thanks for the public service announcement: c'est moi.

About the GnuPG web of trust: I understand what you are saying, and I
already have some public GPG keys floating around somewhere. However, I
think technology can barely solve this trust issue.

Imagine the following scenario: I build the lastest Boxi v1.0 (can't be too
long away, right? ;) as a public service. I then sign the resulting binary
either directly or sign the resulting MD5 or whatever secure hash function
you would like. One problem remains: how do you know that I did not add a
backdoor into Boxi or Box Backup? 

You can certainly establish that I am the source of the build, but you
still would have to find the backdoor.

On the other hand, the process I outlined for building Boxi is pretty
straightforward (not to say: "Copy & Paste"), so building your own binaries
is perhaps the ideal solution to this trust issue?

Let me know what you think: I am happy to sign the binaries, if that is
what is needed for a bigger Boxi audience.

Best regards, Achim