On Fri, Jun 6, 2014 at 12:36 AM, Bill Cox <waywardgeek@xxxxxxxxx> wrote: > I think it might be a lot of fun to see which of us can succeed in inserting > a back door without the others noticing. Every week each developer (core > developer?) would publish a warrant canary containing an encrypted code > snippet, as well as the key to the prior week's code snippet. The code > snippets would either say "No back doors were inserted this week", or show > exactly where the back door is with an explanation. I spent the morning thinking about this a bit. The reasoning behind it is a fantastic idea. However, I think it would have some practical issues. For future auditing purposes (even if it's just some user looking at our commit history), we should keep our git repo as "clean" as possible. If this backdoor-checking project happens, it would need to be in a separate repo (not just a branch...). I don't think we should intentionally introduce vulnerabilities into our code either. A malicious user could use that code (from our git repo) and compile and distribute or install on unsuspecting users computers, then use the backdoor. It would (probably) never happen on a mass-scale, but if it compromises a single person, that's one too many (for an intentional backdoor). Know what I mean? I do love the idea of using this to learn, espeically for the more inexperienced programmers such as myself. Maybe this project can go forward using private git repos?