On Mon, Jun 23, 2014 at 6:56 AM, Bill Cox <waywardgeek@xxxxxxxxx> wrote: > Personally, I wish to contribute long-term to CipherShed as one of the > people who check the code for back doors. I don't have any particular > reason to believe I am any good at it, but I certainly feel better > after checking the code myself. Based on your attention to detail thus far, I think you'd be great for that actually, Bill! > First, Stephen did solid work. Nice job! He not only checked in the > same TrueCrypt sources we can find on the Internet in various places, > he explained how he verified them. If we can have solid explanations > like this in git commit comments or change logs going forward, it will > make verification much simpler. Thanks! > We now have Windows .exe files signed into the git repo. We should > use them to verify newer versions of these exe files rather than > assuming they are golden and error-free. If these executables are > hacked, it could be a disaster. If they are out of date and have > unpatched buffer overflow bugs, they could be exploited. However, I > think it is a good idea to have these executables in git. When we do > releases, I think we should use the latest versions of these > executables from our favorite sources (preferably sources that are not > disclosed), and verify that we get the same result as using the signed > in versions. Hm? I don't think there's any .exe files committed to git right now? > I verified the Pkcs11 header files match those I could download from > the RSA site, and also match those from the realcrypt project. I > checked the sha256 signatures for the source .tar.gz and .zip files, > and verified the truecrypt-hashes.asc file matches what I could find > using Google. Everything checked out. > > Minor update needed to README.md: The > https://ciphershed.org/DevelopmentProcess page is referenced in the > README.md file, but does not currently exist. Similarly, > https://ciphershed.org/Docs does not currently exist. Updated!