4 comments

[ 22.8 ms ] story [ 971 ms ] thread
I'm not sure if it's possible to truly call it secure unless the source code is publicly available.
Absolutely agreed! We haven't gone as far as to make Cyph truly FLOSS, but our source code is publicly available under the Ms-RSL: https://github.com/cyph/cyph

In the near future, we plan to go further than that by releasing a script that builds the source code locally and computes its hash, then compares that to the hash of the current production signed package and alerts you if they don't match. The intention is to make it easily detectable if we ever sign and deploy code that differs from what's in GitHub, such that any hypothetical "secret" backdoor would need to be hidden in plain sight right in the revision control commit log (which we would expect to eventually be caught by an independent security analyst).

So, essentially, a reproducible build.
Yep, exactly. We may need to pin things like TypeScript and minifiers to specific versions in our local environment's Dockerfile, but otherwise there should be no issues with other people's machines computing the same packages and hashes byte-for-byte.