How do we defend against dependency based side-channel attacks at @securedrop project https://kushaldas.in/posts/defending-against-side-channel-attacks-via-dependencies.html #Python Let me know what do you think. #Security
@kushal @securedrop Sounds good. It’s roughly what we do for Freenet, though there it’s done by gradle witness — and we have a script that can disassemble the release jars and check them against a local build, and the script ignores timestamps: https://github.com/freenet/scripts/blob/master/verify-build#L2
Though nowadays I would prefer to use a Guix setup for this.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!