Re: [tlug] Any way to make code running on a cloud service publicly verifiable?

[Curt Sampson <cjs@example.com>]

On 2012-09-21 10:52 +0900 (Fri), Stephen J. Turnbull wrote:

> Curt Sampson writes:
> 
>  > I would think you'd have the server allow downloads of the version it's
>  > running,
> 
> I don't see how that's easy to analyze.  That would require that the
> server open up a file transfer mechanism not under control of Edgar
> (remember, Edgar is the prime suspect here).

That's a requirement anyway, since Edgar has to be able to upload his
code without compromising the mechanism. :-)

> The reason for using HMACs is that a man in the middle can learn to
> generate hashes for messages that he can control, at least in part.

Ah. Thinking about this in more detail, the problem is that he
can generate messages that appear to be authentic when tested for
authenticity, but are not. That's not the problem we're trying to deal
with here; we're simply trying to determine if a particular chunk of
data we have is the same one the server has.

That makes me feel a lot more comfortable with just using a hash,
assuming that we have both a reliable way of determining a hash from
the data and a way to authenticate the hash. An appropriate digital
signature mechanism is a good way to do the second part. I'm not so
convinced that git's hash generation method is a secure way to generate
a hash of some arbitrary code, which is why I think using something
simpler, such as a tarball and hash of that tarball, is probably a
better way to go.

Given that, you're right, it doesn't matter whence you get the tarball.

cjs
-- 
Curt Sampson         <cjs@example.com>         +81 90 7737 2974

It is easier to write an incorrect program than understand a correct one.
    --Alan Perlis, Epigrams on Programming (#7)