TrueCrypt Page Says It's Not Secure, All Development Stopped

from the uh... dept

Last fall, we noted that the popular disk encryption software TrueCrypt was undergoing a security audit, inspired by the Snowden revelations. At issue: TrueCrypt is open source and widely used and promoted (hell, Snowden himself apparently taught people how to use it), but no one really knew who was behind it — raising all sorts of questions. A little over a month ago, we noted that the first phase of the audit didn’t find any backdoors, but did note a few (mostly) minor vulnerabilities.

However, a little while ago, TrueCrypt’s SourceForge page suddenly announced that ” WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” and furthermore: “The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.”

While some initially questioned if this was a hoax, others quickly noted that a new version of the program was signed with the official TrueCrypt private key — meaning that it’s either legit, or TrueCrypt’s private key has been compromised (which would obviously present another serious issue). If you happen to use TrueCrypt, you should be very, very careful right now.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “TrueCrypt Page Says It's Not Secure, All Development Stopped”

Subscribe: RSS Leave a comment
John Smith (profile) says:

Re: Re:

I was just listing to TWIT.TV’s This week in Google when Leo LaPorte brought this up. He is thinking it’s a hack.

Apparently Steve Gibson, the host of Security Now is talking to the people who have been doing the audit and they have been trying to reach people at

There is also a new executable that LaPorte said you should NOT download under any circumstances.

The best advice is wait for a few days for things to shake out. One of the possible clues was the recommendation to use Microsoft’s Bitlocker which is a closed source application. (Obviously)

Cerberus (profile) says:

Re: Re: Re: Re:

I have heard two possible explanations, both fairly tinfoily:

1. Truecrypt has received a Security Letter from an American or other agency (we don’t know where they are) to build in a backdoor. They are not allowed to announce having received the letter, but they can simply rip out the encryption part of their software and make a general announcement like this one.

2. Were hacked but regained control. But why weren’t they more specific in their warning, then?

Whatever says:

Re: Re: Re:2 Re:

I sort of go with a third, slight more hybrid situation, which is:

3. the encryption itself may have been hacked or back doored due to it’s reliance on windows code, particularly older functions traced back to Windows XP. Possibly the NSA knew and used it. Possibly hackers new it and used it. Possibly both.

No matter which answer you go with, the product is compromised, any data stored with this product should be considered at risk, and potentially that it has already been obtained illegally by third parties. It should also not be considered a good way to encode drives to cross the border, as an example.

Machin Shin (profile) says:

Re: Re: Re:3 Re:

There is a REALLY huge flaw in your logic there. Mainly “due to it’s reliance on windows code”. TrueCrypt is cross platform. It ran on Windows, Linux and OSX. So it would not have relied on windows code.

Also, you saying they pulled their product due to flaws in windows code, and then they recommend you move to… Windows bitlocker?

Pawel L. Bogdziun says:

Re: Re: Encryption and open source

Well, there is no reason to hide the algorithm of good encryption just because it’s asymetrical. You can know the way how data is encrypted, but there is no way back once it was secured. If someone say that it should be closed executable… I’m pretty sure there is something behind.

Anonymous Coward says:

Re: Re: Re:

That may depend on who you want to hide your data from, against a casual thief, bitlocker would probably work, against the NSA.. I would not trust it.
Bitlocker is not known to be compromised, the repository may have been hacked, and prior visions might still be effective. Also note that to use Bitlocker will require many home users to upgrade their operating system. Something about this smells worse than a skunk.

Arthur Moore (profile) says:


I personally prefer LUKS encrypted containers or drives. Sure they have a known signature at the beginning, but how likely do you think someone is going to have a multi-gigabyte file full of random data.

Best of all, the Linux cryptsetup program supports both these and truecrypt. For windows you can use a program called FreeOTFE.

Unfortunately, while LUKS is the standard way to do full disk encryption in Linux it doesn’t do the fancy pre boot stuff so it can’t encrypt your main windows drive.

Pawel L. Bogdziun says:

Re: Encryption issues

Ananymous Coward, how you could ever trust any encryption software since you’re probably no cryptographic expert? OK, you can get source code of thousands lines and you will never be sure what exactly you’re compiling. Moreover, you probably don’t know what the compiler does with the source code. The only way is to have nothing to hide ๐Ÿ˜€

Nikropht (profile) says:

“The website is presumed hacked, the keys are presumed compromised, the binary on the website is capable only to decode crypted data, not encode, and may contain trojan. The binary is signed with the valid (old) key. All old versions are wiped, the repository is wiped too. Please do not download or run it. And please don’t switch to bitlocker.”


John Fenderson (profile) says:

Re: Occam's Razor suggests...

I agree, a hack is the most likely explanation (all signs point to it, anyway).

Anyone using TrueCrypt should stand pat for the time being until more is known. Do not use the binary on the website. If you feel the need to migrate, then decrypt using your existing version of the software and don’t migrate to BitLocker.

That One Guy (profile) says:

Re: Another possibility?

Actually when you think about it, the Lavabit route may have sucked for the company and the ones running it, but with regards to the targets, otherwise known as the customers/users of the service, it was pretty much the best they could hope for. Yeah the service shut down, but compared to having it totally compromised, that seems like a decent alternative.

Anonymous Coward says:

Re: Re: Another possibility?

As a former Lavabit customer, I can say there was certainly some short-term suckage for me while I had to figure out what to do with my email after the shutdown. The plug was pulled with no advance warning, so the transition to a new host was less than smooth.

But otherwise, yeah, I’d rather have that happen than have a totally compromised host.

Violated (profile) says:

Re: Another possibility?

I think Lavabit 2.0 is quite possible. Had this Truecrypt developer received a National Security Letter (NSL) then the only option that remains is to discredit his own product.

New page layout hastily created, bullshit reason, an open source developer recommending a closed source product, “Microsoft”, newly generated encryption key, pointing out ‘compromised’ despite a clean audit, then lastly migration to avoid a possible NSA compromised product.

If that does not scream out NSL then I don’t know what does when naturally anyone who receives an NSL is forbidden from saying that they have.

Anonymous Coward says:

Might be another Lavabit scenario

Some speculation that TrueCrypt is falling on it’s sword after some secret orders:

Seems as good of a speculative explanation as any. Why would someone compromising the dev key warn people away from the binary? Better just to sign a compromised one and say nothing….

And if you are going to hack a site like TrueCrypt for notoriety, you’d put up the typical ‘I OWNZ UR ASS’ hacker boasts….

Anonymous Coward says:

Re: Might be another Lavabit scenario

There is a problem with putting back-doors in open source code, you can assume that they will be found sooner or latter, especially if an outside audit is in progress. So it is more likely they have been forced to fall on their swords, and point users at a closed source compromised system.

Chronno S. Trigger (profile) says:

Re: Re: Re: Might be another Lavabit scenario

I think the running theory (and I emphasize that it is a theory) in this thread is that the new version of the code is compromised, not the old version. They were forced to put in back doors in the new version, so they did the honorable thing and shut it down.

Again, theory, I want evidence. It could be that they found out that the NSA has some way to decrypt anything Trucrypt created without a backdoor, so they jumped ship. It could also be that the site was hacked as has been suggested. Or any number of other things.

One thing I can say is that I’m not plugging in my encrypted hard drive until I get more information.

Anonymous Coward says:

Re: Re: Might be another Lavabit scenario

I’m still unconvinced. IF that was the case, then eventually it would come out — and the outcome would be much worse for those issuing those orders than if they’d just left TrueCrypt alone.

Why? Because if it became public knowledge that TrueCrypt was ordered to shut down, the first question would be “why?”. And if the answer to that is “because we can’t crack it and we’d really like to” then that immediately calls into question EVERY cryptographic implementation, because we must reason that any which haven’t been ordered to shut down are, in fact, already compromised.

And I don’t think anybody wants to go there.

Anonymous Coward says:

Re: Might be another Lavabit scenario

Some speculation? There’s relentless speculation about this online, and pretty much nobody is saying these theories go too far, that people are just paranoid, that governments wouldn’t do this, etc. I knew there was some mistrust, but this is near-universal mistrust. And the government hasn’t even put out their suspiciously-precisely-worded denial yet.

Anonymous Anonymous Coward says:

Trusted Systems

Whether this is a hack, or a defensive move against government interference, or a yet another reason, what does this have to say about trusted systems?

Is trust temporary, until you know you can’t or shouldn’t?

Or is trust permanent, until it is taken away?

How does one know who or what to trust anymore?

Personally, I will lend $20 to almost anyone I have some relationship with. I learn a lot in how they handle it. If I get it back, it speaks to character. If I don’t get it back, it speaks to character. I tend to trust, until I have reason not to.

But with systems, how does one determine trust? I have given trust to deal with things like banking online, Skype communications, several email accounts, etc. All of them now have serious trust issues. To some degree, I just continue, but I am far from comfortable.

Anonymous Coward says:

Re: Trusted Systems

Use open source software, as deliberate back-doors will not exist in it for long, and security vulnerabilities get fixed in hours to days, not weeks to months. For really sensitive stuff, run a live distro off of a DVD. Post Snowden, people will be keeping a closer eye on all commits, including some that are not part of the project, making it a stupid idea for a security agency to try and get a back door into the software.

Anonymous Anonymous Coward says:

Re: Re: Trusted Systems

“Use open source software”

I do. This is being posted from my Linux Machine. I run Windows as well, but only because I need, I mean need, my Flight Simulator.

This does not help if SSL is broken. This does not help if any encryption that gets used is broken. This does not help if Skype is broken, and do to the folks on the other end, other choices are not reasonable. This does not help if my VPN’s encryption is broken. This does not help if Tor is broken.

I have, and share a Tails torrent, which is open source, Tor enabled, Linux based, used to be anonymous, used by Ed Snowden and Bruce Schneir, but just exactly when do I use it? Everytime I visit my bank? When I want to send an email? Those are both online, and not particularly in my control.

Using Tails rather than punching the browser button is a tremendous inconvenience, as at the very least it requires two reboots, one to use it, and another to get back to normal. Is banking the break point? Or do I need a nefarious intent to invoke it? While I have nothing to hide, I have nothing I want seen.

OrganizedThoughtCrime (profile) says:

Re: Re: Re: Trusted Systems

“I have, and share a Tails torrent, which is open source, Tor enabled, Linux based, used to be anonymous, used by Ed Snowden and Bruce Schneir, but just exactly when do I use it? Everytime I visit my bank? When I want to send an email? Those are both online, and not particularly in my control.”

You use it when you want anonymity online, which is not the same as encryption. You should use a VPN for banking and email, not Tails or tor, and you should only trust that VPN up to the TLA point, and not beyond that. These tools can do a lot but it is critical that people understand what they do and do not do.

Anonymous Coward says:

Re: Re: Re:2 Trusted Systems

By those same standards those ‘hours to days’ and not ‘weeks to months’ also applies to many non-open source software. The speed that a vulnerability gets fixed depends on other factors such as the seriousness of the vulnerability (heartbleed was a very serious vulnerability) and the nature of the developers (are they lazy and slow or are they motivated and quick).

You can have motivated open-source developers and lazy ones too which is also true for proprietary software.

Anonymous Coward says:

Re: Re: Re:3 Trusted Systems

and another factor involved in the speed that vulnerabilities get fixed is the nature of the vulnerability and the nature of the vulnerable software. Some minor security vulnerability on a Windows machine can probably wait a week since the machine is probably behind a NAT firewall anyways. But the whole purpose of OpenSSL is to provide front line protection of very critical information.

So the AC above was comparing apples to oranges. Comparing the speed by which a non-critical vulnerability gets fix after it is made vs the speed with which a critical vulnerability gets fixed from the time of disclosure to the developers is not a fair comparison.

Anonymous Coward says:

Re: Re: Re:3 Trusted Systems

One big difference with open source, anyone who is capable can provide the fix, and make it available to anyone who wants it. If it is a significant package, then the developers for many distros will be looking at the problem, so the fix is not dependent on a small number of developers, or even just the one, who are the acknowledged maintainer(s) for the package.

John Fenderson (profile) says:

Re: Re: Re:3 Trusted Systems

“You can have motivated open-source developers and lazy ones too”

True, but the advantage of OSS is that anyone can fix it. Heartbleed is case in point. The original patch for it came from Google. So, while proprietary software can only be fixed by small pool of developers, OSS software can be fixed by anyone in a much, much larger pool.

John Fenderson (profile) says:

Re: Re: Re:5 Trusted Systems

“which is an attitude many people seemed to have pre-heartbleed”

Interesting. I’ve seen many comments accusing others of thinking that OSS is some guarantee that there is no vulnerability, but I’ve not actually seen large numbers of people who actually think that, so it’s more than a bit of a straw man.

What I have seen a lot of is people misunderstanding the arguments that OSS is better than closed source in this matter and thinking that the argument is that OSS is inherently safe. It’s pretty near indisputable that OSS really is the safer choice, and often I wonder if the misunderstanding of the argument is deliberate.

Anonymous Anonymous Coward says:

Re: Re: Trusted Systems

That is why I use my $20 test, it tests the conditional, the condition being the others character.

Is not a situation where someone is selling trust a bit different? Does not the seller need to exhibit some form of character to get that trust? Should not such trust, thus displayed, be able to be counted upon? Should there be a statute of limitations on such trust? I know, better not ask a banker, or an insurance company executive, or certain ebook providers, or gaming system manufacturers, etc.

I am not arguing that such trust exists. The government has failed our trust. Banks have failed our trust. Numerous other companies and individuals have failed our trust. There is a lot not to trust out there.

I am arguing that we should be able to count on some things. I am arguing that the government should not be in the business of conflating that trust. I am arguing that short of criminal behavior, we should be able to trust.

Look, I am a realist. I know we cannot fully trust our current understanding of physics, simply because we don’t know it all yet, and current ‘facts’ may change. Yet I fully trust that if I jump up in the air, that part of physics that defines gravity will again earn my trust and hurtle me back to the ground. If that kind of trust can be developed in nature, what is so damn difficult about it for us humanoids?

I guess my question might better be expressed as how can we get to trust systems? Given what we now know.

John Fenderson (profile) says:

Re: Re: Re: Trusted Systems

“I guess my question might better be expressed as how can we get to trust systems”

And my answer is that if you’re looking for some kind of permanent trust, that’s impossible. It doesn’t matter if you’re talking about trusting technology or people. It’s just a fact of existence — things change, so trust must be temporary.

However, my personal take on trust issues is this: nothing and nobody is 100% trustworthy, so absolute trust is a foolish goal. When I say I “trust” something, what I mean is that I feel I have a good idea of the predictability of it. I have a reasonable handle on what circumstances I can or cannot rely on it.

Violated (profile) says:

Re: National Security Letter

An NSL looks most likely.

Had he only wanted to quit then why say Truecrypt is insecure?

If he believes Truecrypt is insecure then why not state the faults?

Had Truecrypt really been insecure then why do all on-going audits say that no serious flaw has been found?

Clearly much more is going on here than meets the eye.

Mark Wing (user link) says:

It’s gotta be either a compromised key or a hidden message. The development team wouldn’t in their right minds advise people to move from TrueCrypt to Bitlocker–that’s clearly ludicrous. The fact that they haven’t made any clarifications to their statement is equally telling, and it’s pretty easy to do the math. My guess is that they are under a gag order, and that some entity really doesn’t want to you the user to use TrueCrypt, meaning it is probably secure. Personally, I’m going to stay the course.

Mark Wing (user link) says:

One more thought: Let’s say you are some third party out to undermine TrueCrypt, for whatever reason. It would be very difficult to undermine the code as it is open source. You are unable to undermine the product itself so why not do the next best thing: undermine the user’s trust in that product. So in that you accomplish your goal, because less people will use it and migrate to something less secure. And in this scenario, it should go without saying that if you had already undermined the code, you’d want more people to use it, not less. And you wouldn’t be issuing any statements.

So yeah, I think the team either fell on their swords or this is a clumsy attempt to undermine trust, and that both scenarios point towards older versions being trustworthy. I certainly won’t be downloading newer versions, that’s for double-dog sure.

Jason says:

Re: What Do You Seek

You’re asking the wrong questions. Or, at least, coming at it from the wrong angle.

It isn’t about “hiding” anything. It’s about privacy, and knowing your data is safe.

I have backups of my financial records (and other related personal items) on a thumbdrive, and it’s with me at all times. It’s my “backup of last resort” in case all my other backups are lost. (Due to fire, flooding, etc., all of which have affected me in the past.) If everything else fails, I always know I’ll have a backup of my most irreplaceable records with me.

And I encrypt it. Heavily. Not because I’m trying to “hide” it, but because it’s personal. Yes, I want to keep it out of the hands of any who would try to use it for nefarious purposes, but I also just want to know that a stranger can’t peruse my personal information if they get their hands on the drive. If the drive is lost or stolen, I don’t want to give a second thought to the information on it; I know it’s encrypted far beyond the point of practical recovery.

Not only that, but it’s also protected from situations we see more of these days, where any random traffic stop is “cause” to try to pry through every digital device in or near your control. I’d probably be perfectly willing to provide the password to law enforcement—upon receipt of a valid, narrow, and properly executed warrant (and after speaking with my lawyer)—but I rest easier knowing I have at least that level of control.

Again, it’s not secret, it’s private, and that’s a distinction that doesn’t get as much notice as it deserves. Even a person with “nothing to hide” has things they’d prefer to keep private. Different things for different people, to be sure, but taking steps to safeguard ones privacy in the modern digital world is something that each person should be able to do in a way they feel is appropriate.

Locks may only keep out honest people, but I still use them. And I prefer to use the best ones I can.

OrganizedThoughtCrime (profile) says:

Re: What Do You Seek

“Risk Assessment 101:
– Who are you hiding data from? The government, your wife or your mom?”

The first question is valid as it addresses use-case. The allusion to authority figures and the desire to hide things from aforementioned authority figures has already been well addressed.

– How much of your data really needs to be encrypted?”

All of it, if any of it.

DannyB (profile) says:

Why a Three Letter Agency must be involved

Why a Three Letter Agency must be involved

TLA = Three Letter Agency
TPLA = Three Plus Letter Agency

* This is nothing but a hoax
* This is nothing but a defacement

If that were the case, then the authors would come out and say so.

The newly released code containing the “hoax” was signed with the authentic signing key.

So a hoax seems unlikely.

If this is a hoax or defacement, then someone went to an awful lot of work to build a new software release — and obtain the capability to sign it!

If someone had obtained the secret signing keys, then there are lot more valuable things that could be done with them than a mere hoax / defacement.

* Mabye the authors just want to retire from long work on this program

Then why not just come out and say so?

Why not pass the torch to others to continue to work?

Why use the excuse of discontinuing it because of discontinued support for Windows XP, which is so lame of an excuse as to be unbelievable. (Hint: not to be believed.)

* A security vulnerability was discovered
* The program was hacked by the NSA, Chinese, Aliens, etc
* A weakness was discovered in the encryption

If this were the case, then why wouldn’t the authors just come out and say so? The only reason would be if they were constrained from saying so by a secret order from a secret court under the authority of a secret interpretation of a secret law, or something like that.

Consider that the newly released program, authentic according to its digital signature, has the warnings embedded. So the warnings must be genuine. Yet the same release with the warnings also removes the encryption capability the retains the decryption capability. This would imply that the author’s motives are to allow you continue to decrypt previously encrypted data, and would imply that the authors believe it currently is and will continue to be secure — but that *encryption* will not continue to be secure in the future.

* Maybe the authors merely lost control of their credentials, signing key, etc.

The same arguments apply.
* Why wouldn’t authors just say so?
* Why then release a new version with warnings, and removing future encryption capability, but keeping decryption capability?

This argument would imply that the authors still care about your security but were merely hacked or lost control of their key. If the authors continue to care about your security, then why suggest switching to BitLocker which is (a) closed source, (b) cannot be analyzed for vulnerabilities or back doors, and (c) is from Microsoft.

* This situatiion is nothing like LavaBit’s poor choice of response strategy

Nobody is arguing that it is similar. I am only arguing that the authors forced to compromise *future* security, and not disclose this, had no other choice but to find a way to get people to stop using the program.

My conclusion.

The only thing that seems to fit all of the facts is that a TLA/TPLA ordered them to hand over their digital signing keys and keep this fact a secret.

* This would mean that the authors have lost control of their keys
* The authors may have been forced to suggest switching to BitLocker, also for the benefit of TLAs/TPLAs.
* The authors cannot disclose this fact
* The TLAs/TPLAs want to make new insecure releases, that are digitally signed as authentic — even if only intended for release to selected parties.
* The authors still care about your security
* The authors still control their website and can still make new software releases
* The authors are not forbidden from abandoning the project or saying that it is now insecure
* The authors know that the past security of the program is not compromised, only the future security
* Therefore authors remove encryption but retian decryption capability, and then fall on their sword to protect everyone. Similar motives to Lavabit response, but not similar in other ways.

DannyB (profile) says:

Re: Why a Three Letter Agency must be involved

I would also like to add that someone on Ars points out that in the set of changes to the source code in this new release of True Crypt, all instances of “U.S.” have been replaced by “United States”.

That sounds like something a TLA would do.

GitHub source code comparison:…7.2

DannyB (profile) says:

Re: Why a Three Letter Agency must be involved

Another argument:

* But the authors gave a reason to stop using TrueCrypt — because of the removal of Windows XP support

TrueCrypt is (was) a cross platform program. So why would removal of XP support (even if that excuse were believable) have any effect on other platforms?

Why wouldn’t the authors simply discontinue the Windows version of TrueCrypt? Or simply discontinue it only in XP but continue working on TrueCrypt on Windows 7, 8, etc.?

DannyB (profile) says:

Re: Why a Three Letter Agency must be involved

So far, I have argued, based on available facts, that this is a Lavabit like situation.

Another possibility suggests itself.

A TLA (three letter agency) has managed to gain COMPLETE control of the project and its signing keys.

This also fits available facts. Lame excuse for ending project. Lack of any response by actual authors discrediting idea of a hack, hoax, defacement, or discovered vulnerability. This also fits with the U.S. being changed to United States. Some TLA button-down necktie programmer would do that.

Motive? If TrueCrypt is really secure, as all past evidence suggests, then TLAs would not want people using it. Thus they be sure to remove all previous versions so you cannot download and use them.

Why not a peep from the authors? I’ve read that the authors are anonymous and have never before spoken to the press. If that is the case, loss of their signing credentials makes it impossible for them to verify that they are who they claim to be. You, or I could claim to be the author of TrueCrypt, but would equally have no way to prove it.

Violated (profile) says:

Re: Re: Why a Three Letter Agency must be involved

“A TLA (three letter agency) has managed to gain COMPLETE control of the project and its signing keys.”

Then why has the TrueCrypt team not stated this?

You are looking at this the wrong way when spies are not good spies being so public. The US Administration runs on ultra secrecy mode when they won’t send in the hackers but the ultra secret court orders.

Anonymous Coward says:

Re: Why a Three Letter Agency must be involved

Just wanted to point out a crucial detail to the OP: a form of encryption itself is not the same as an implementation of that same encryption. Case in point, AES encryption. Found in TrueCrypt, LUKS, BitLocker, and many other places. TrueCrypt (linux version, locally compiled) uses AES properly, hence why it worked (I don’t use TrueCrypt myself, but have heard that the windows version comes with a binary blob, and that the same source code that compiles on Linux won’t compile on windows). On the other hand, BitLocker uses that same AES encryption but because of implementation it also adds a backdoor for LEAs, rendering the same encryption practically useless (in that implementation).

Mindseyes says:

What if

I’ve only started using this a few months back, around Jan. I have the downloaded exe file on a flash drive. Misplaced the drive, which I just found. However, I downloaded another copy of this on monday. The site seemed fine. No warnings, error messages, etc.

Wouldn’t it be possible to reverse engineer an older release or two and compare it to a reversed engineered of the newest release to see what if anything has changed to see see if there is a backdoor or anything like that?

From what i’ve read, the govt, mainly the NSA has stated they couldn’t crack True Crypt. So in theory, from some of these comments, how possible is it, they were forced to back door it? Then did the honorable thing and shut down?

Just curiosity and questions here.

Also, from my knowledge, Bit Locker is not Linux compatible. TC comes installed on BT5, though that support has ended and has been replaced by Kali. But BT5 is still available.

Anonymous Coward says:

Wouldn’t it be possible to reverse engineer an older release or two and compare it to a reversed engineered of the newest release to see what if anything has changed to see see if there is a backdoor or anything like that?

No need for reverse engineering, both the old and the new source code are available. However as a check the new source should produce the same binary as the new binary when compiled for the same target using the same version of the compiler.

The Wanderer (profile) says:

Re: Re:

That’s not necessarily reliable. Many projects do not have “deterministic builds”, where compiling the same source for the same target with the same compiler and the same external libraries (et cetera) will produce a binary-identical file in all cases; in some cases, the compiler may go so far as to insert compile-time timestamps – or other time-dependent information – in the generated binary.

Producing a reliably deterministic build is still possible, but there’s no guarantee that any given project has gone to the trouble to ensure it.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...