bundled binaries: rational, security concerns and observation (.deb) #1582
Comments
|
The binaries should match this release: https://github.com/haveno-dex/monero/releases/tag/release4 That repository provides the ability to apply customizations not yet released in monero-project, which has been necessary in the past (less so now). As far as I know, the binary builds should be determinstic using the cross-compiling instructions, so the binaries should be reproducible from the same commit hash? |
|
The Tor binaries are downloaded directly from the Tor Browser project.
Yes, this deb is not "official". There is no official Haveno-dex mainnet. |
Some observation based on the .deb package provided by https://github.com/retoaccess1/haveno-reto/releases/latest/download/haveno-linux-deb.zip (@retoaccess1 which is the 4th result when searching for "haveno deb")
tor,monero-wallet-rpc,monerodinstead of relying on well-proven ones. What's the point of checking a MD5 if it rolls its own unproven trust-system instead of relying of user/distribution/proven supply chains. These binary have/should have their own .deb from verified build.~/.local/share/Haveno-reto/monerodindicates having been build from commit 10a1b767b which is suspicious given no such commit exist in the official monero Git repository. (If a malware infected a developer machine, that would be a nice spot to hide)If this deb is not "official" or even a malware, then it's still a concern for /haveno-dex/ since it'd call for actions regarding official builds (and a more secure binary retrieval/reliance mechanisms)
See also: #1577
The text was updated successfully, but these errors were encountered: