Hello I noticed that there were two back to back whonix updates in the last few days and it got me to thinking. So I went to the documentation section and began reading the Whonix Trust section. While I rely on Patrick and Ego to answer all my questions on this forum, the trust section makes a comical yet valid point about not trusting whonix or Patrick or anyone on the Internet whom you don't know. Sadly, as a new user who can't read or verify source code I realize I am at a big disadvantage using open source software I can't verify. As a result I do trust Patrick and whonix and all their updates. I just blindly update when the whonix check tells me there are packs to install. My point is say one day the sky is falling and whonix DOES become compromised a guy like me would never know. I would be the low hanging fruit so to speak. Given the government is the single biggest producer and purchaser of malware. My interest in this software started with a small tinfoil hat that seems to grown the more I learn ;-)
So my main question is what is the safest way for a guy who can't verify code yet double check that these updates are safe?? Is there a certain part of the forum where people who can verify code do so?? Also a point in the right direction for the fastest way to learn to verify open source code wouldn't hurt.
Thanks in advance and sorry for the silly question I am very certain I am the biggest noob on this forum.
if you’ve downloaded a normal Whonix image, you should always verify them using this simple method: Whonix ™ for Windows, macOS, Linux inside VirtualBox Now, when it comes to updates, the things is that packages are actually verified automatically, you may read about it here: Security Guide - Whonix Now, this of course wouldn’t protect you from source code being compromised and verified, since verification doesn’t mean per se that the code is free of bugs/security issues/back doors, which is why your only hope would be that IF the code ever got contaminated with a back door and someone would find it, he/she would post it on the forums. Now, I’m currently just starting to myself get how the code is build in its most basic form, however, even if I was able to understand the entire source code of everything in a few picoseconds, that wouldn’t mean I would see security issues right out of the bad, since (especially consciously created) security issues, are often hard to find or downright hidden.
So, to put it simply, verify as much as possible, don’t trust anyone, use more than one security measure and stay as informed as possible on every topic.
So my main question is what is the safest way for a guy who can't verify code yet double check that these updates are safe??
You cannot. You might be able to install Whonix updates from source code. And/or to build Whonix from source code. Then you're down from trusting the binaries to trusting the code.
Installing all the Debian updates from source code will be much harder. Or always getting everything from source code, maybe possible, but not so economically possible using Debian based distributions. (Others come with other issues.)
And even for people who know how to audit code, there are so many projects, so much complexity… Even if they are master programmers, they cannot possibly have the required time to verify it all.
Is there a certain part of the forum where people who can verify code do so??
No.
Also a point in the right direction for the fastest way to learn to verify open source code wouldn't hurt.
Learn programming. Audit some. Organize others. Audit more.
Thank you for the fast and efficient replies. So it sounds to me that IF an update were to be released and contained code that contained a back door or something that could be exploited that it would not be something that a master programmer would be able to find right away. That said in the event of a compromise it would be some time before the problem is found.
So I guess in Whonix and Patrick we trust.