-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I had a chance to read through some of the TrueCrypt code. I read the code for the Windows boot loader in the Boot directory. It looks OK to me. I was fearing much worse! The audit made it sound like a complete mess, but I think it's going to be simple enough to whip into shape. If we must maintain this code, as it sounds like we must for at least a few years, then I volunteer to maintain it, or rewrite it if required for license reasons. It looks like we will not be able to avoid the dependency on a 1993 version of Microsoft Visual C, but I think we can live with it. I would also like to be involved in a UEFI boot loader, assuming we write one. We should collaborate with the VeraCrypt guy on this, I think, since he sounds fairly knowlegable about it. There may be other more qualified people that will join the project who have more boot loader experience. If someone like that does join who would like to maintain this code, I would prefer to hand it over. I'm a lazy developer in general :-) I want to focus on security, but am willing to do this sort of work. I also looked into code that has any E4M copyright. There are 47,602 lines of code derived in part from the E4M code. The E4M license claims copyright 1998-2000 by Paul Le Roux. SecureStar claims ownership of the E4M code now, though Paul Le Roux's license looks like it is valid, which is not contraticted yet by SecureStar, though it sounds like there is bad blood there. However, this code is really really old! It needs a rewrite. It's not so much that Paul Le Roux did a good/bad job. The problem is that a *lot* of this code looks like it dates back as far as 1990! GUI APIs and portability have come a long way since then. For example, the file Common/Dlgcode.c (9,000 lines long!) is written directly to the Windows API. The code is Common/Crypto.c has a lot of core crypto stuff, but the code is highly dated. We should rewrite it, even though it appears to be used cross-platform. The E4M code mixes Windows GUI, and FAT/NTFS along with more generic code that gets linked into the Linux version. Some of this code looks valuable, such as the FAT/NTFS code, but it needs to be cleanly isolated from the portable code. Given the link to E4M, I would recommend we remove all of the E4M code from the system. Much of this code is duplicated in the Linux version in a cleaner, more portable way, so we do not have to rewrite all 46,000 lines to get rid of the E4M code. After that, we still have a *lot* of code to rewrite due to migrating to a FOSS (preferably BSD) license. Mostly it's the wxWindows GUI code. Maybe we could do this in two major rewrites: first eliminate the E4M code and have a major release, and then rewrite the rest. There's also the issue of how to rewrite some of the crypto code. There are well reviewed BSD compatible versions for most of the crypto code we need, I think. As much fun as it would be, I'm not sure we need to write any actual encryption code. Bill I have never been served with any warrant such as an NSL, I have no gag order of any kind, and am not under any sort of compulsion related to the CipherShed project. The last CipherShed git commit I have personally verified (all the way to the first commit) is a03e565835e3ff66774a2a50946dc2290bcbc7d4. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Cygwin) iQIcBAEBAgAGBQJTqyDwAAoJEL9an3rWhBk+vs0P/jWobuuJrEmVP9I0Tjgjf6bC C8UYuc8rTLxIqrV2H9sT+Cc2Zu70gq37LqB7QKQQmIV1NgNlLhn0/j6/JUu7nEMr 92+MnMo5xJ77r0TZ2fefAHALIASyy9iZa8VGgQ3w2EDqzbepb9ScjLiKBLSO6jgL Loy8oLyqpbCKrJShRrjRA1TNQpL4W3M0fo93LtGXSX+n4DW8udE9e3B6YhqS9OeY OJUhtV0jwx/g/P4RP4uN6Udox0D3JNgrWRo+4SS5eYQBJq1G02V7k4y/+DySVXkT DCjs7qEuKJ6/xGvOOYIcba1JhTS7wareG/vfN6wZn4PQTABLwhBDgnSDIMhdM/KJ MUdbirJXl1COgMCMSvnGGHI4ztVBLlxstz2T7pUCEcJbPCFDeKtatIFa1zLetMjF edJyGpg5wVdYWxfuUPWO+V3vDriI3EUPjyuXpQFnOsb9tYpV1QB7E5GoGXMpAUvq eJinZZ7PfyJ1hHd0z8CrAW1j23f35C1wDsyOmouNEKaqouUUJ7mF8hezWAG1ZkMQ RyybZuidiFMNZ5ycFYZiEoO/1UARfZPJ9V7p3q7mqZqOPTFhBBqAuWrfY+Bfiyel UkvF7KGBuxZvk70Cqk9YVvDsXvItdaGjPTLzZfgWbBfcG7ndjv7MGMObRVOSbTwL J/kWduE1H5MNaJvsge5h =qq8G -----END PGP SIGNATURE-----