Dear Patrick,
I agree that unaffiliated personal copies of Whonix’s history are semi-important, which I personally do as well. However, having official original sources of information be archived by trustworthy public archiving systems, like Archive.org, is most important for establishing a better historical chain of public integrity and trust. Since, any private archive of Whonix information/files/source/etc could be modified by the private archiver.
I did some deeper checking throughout the Whonix website.
Things look pretty good since we have the following:
However, there are a couple issues that I’d note.
The Verifiable Builds page says:
“When building Whonix .ova’s from source code, for example /home/user/whonix_binary/Whonix-Gateway-7.ova also report /home/user/whonix_binary/Whonix-Gateway-7.report file will be created.”
“Anyone building Whonix.ova images will hopefully end up with the same report. We can then compare the reports using tools such as diff and/or meld. Those reports should be very similar. We can’t end up with the very same reports, because again, there are no deterministically built operating systems yet. However, we can manually review the few remaining differences. That should make it reasonable to believe, that the original Whonix.ova images have been build from the source code that has been published for that Whonix version.”
It would be good to get a published copy of those .report files online with the binary image files that everyone is using. Again, preferably on an HTML/TXT Whonix page/post. so that it can be archived via public archiving sites. Maybe these .report files are already being published somewhere I missed? But, if I’m understanding correctly, it seems that these .report files are the key to ensuring verifiable builds. It’d be good to offer those publicly somehow then (ideally via an HTML/TXT archivable page).
Assuming their importance for verifying the source code integrity of the binary builds…
Are these .report files published already? Could they be?
Another minor issue is that the GPG Signatures are in Robots.txt blocked text files in the /download/ directory of the Whonix server. This Robots.txt condition causes Archive.org to fail when attempting to archive them…
https://web.archive.org/save/https://www.whonix.org/download/current/7-sig/Whonix-Gateway-7.ova.asc
https://web.archive.org/save/https://www.whonix.org/download/current/7-sig/Whonix-Workstation-7.ova.asc
Maybe making a signatures sub-directory and allowing Robots.txt access to it could be done, so that these important signatures could be publicly archived by Archive.org?
Also, to off-load most of these things from you, I would personally be willing to make some regular posts to the Wiki, in an appropriate place, of any important historical verification information like this, including signatures, checksums, .report files, etc, and then also ensure that it gets publicly archived. I’d just need to know the right place to publish it to.
Maybe a page like: Placing Trust in Whonix ™
Thanks Patrick.