CipherShed Forum

[compul]

According the the Roadmap, the goal of Phase 1 is to "Secure the future of TrueCrypt".

That includes the following:

• Scrub forked code of images and the name TrueCrypt
• Fix known security issues pointed out by security experts
• Recompile binaries for Windows, Linux, and Mac, with updated libraries
• Openly review changes, and solicit feedback from security community
• Release signed binaries and source packages

If you have any suggestions or questions to this, feel free to post here.

[WaywardGeek]

Two questions about how far to upgrade the tool chain for the first release:

Should we update from wxgtk2.8 to wxgtk3.0? I can go either way on that. One recommendation of the audit was to update the tool chain, but they did not say we should update the GUI toolkit.

Should we go get that 1991 version of Microsoft Visual C to build the DOS based full disk encryption? This would not exactly be "updating the tool chain", and I've seen one guy recommend on the truecrypt.ch forum that this support be dropped. The VeraCrypt guy in a private email suggested that we develop suport for UEFI disk encryption:

https://en.wikipedia.org/wiki/Unified_E ... _Interface

[WaywardGeek]

Another possibility would be to simply rebrand and rename the code, much as RealCrypt does, and get something out ASAP, maybe a "beta" in the next week or so. I have the RealCrypt source package, which shows the exact steps needed for this task. We could then exactly follow the steps in this blog for recompiling the Windows release:

https://madiba.encs.concordia.ca/~x_dec ... -analysis/

By the way, I've sent the author an email asking if he would like to work with us. I think he would be an outstanding addition to the team.

Bill

[compul]

I think it might be a good idea to get _something_ well working on the road now (a "beta") to establish CipherShed and keep the community together. Next goal could then be to fix the bugs discovered by the audit until sometime in summer and with that leave the beta stage.

[Sabbath]

I am only speaking as a long term TrueCrypt user and probably one of it's biggest fans

As desperate as I am to see a new, better release of TrueCrypt, I and I think others will understand this will take time.

My personal suggestion is that you do what is best for the long run. I am sure it is tempting to make a quick release while everyone is excited about TrueCrypt, but we have waited years for a significant change to TrueCrypt so a month or 2 isn't going to make much difference.

If you intend to upgrade the tool chain then go for it decisively and we will just have to wait. If you do it fully now then that is a job done and you will be able to concentrate on other things in future.

By the way you chaps interact with each other and how knowledgeably you discuss things, I am certain you will make the best programmatic decisions. Please don't let the users pressure you into rushing, as much as we will complain deep down we understand perfection takes time.

I am just so grateful there is some development on TrueCrypt again

[Resonance]

Hi guys,
+1 get something out NOW.

I have read your pages and the .ch pages in detail and you guys, I think, have a clearer picture of what is needed, better experience, more wisdom/discernment regarding pitfalls, and you set up this forum in a timely manner. No disrespect to .ch, but how hard is it to set up a phpBB? Should that takes weeks?

The danger in this is that whoever starts first may become much better known, just because they get a rumor about "being the TC replacement guys". That's great, but what if the philosophy is dumb or it does stupid things like phoning home? And what if the new project is so silly that it gets hacked and ruins the reputation of the codebase for everyone? No, it needs to be simple, secure, and completely sandboxed from donation, credit for hours spent, and update issues.

There are ways to thank and pay people without it turning into a circus, but the people have to be looking to make a GREAT program, not looking for a way to make a salaried job out of foss. Money isn't bad. Corporate backing is great, but once you mix in all that crap, you better be ready to spend just as many hours dealing with vetting and politics as checking code.

No, better to re-name it, put it out there. Make it clear that it is no different or no worse than TC7.1, and transparently state that you're waiting for audits and improvements.

A project like this calls for very serious thinking about trade offs between features, security, and money. The goals you all stated HERE are much clearer and reflect the needed caution. Good job so far guys. A clear vision is paramount before rushing in and trying to turn a reliable bicycle into a dangerous motorcyle.

[WaywardGeek]

You seem to be thinking exactly along the same lines as me and I think most of the other guys here on the CipherShed site. I posted to the CipherShed list on FreeLists this morning more or less the same idea. I think we should move forward with a first release which is nothing more than rebranding - changing the images and all references of TrueCrypt to CipherShed. This should help reassure users and give our dev team a chance to pipe-clean our release methodology. After that, I think we should do the "short-term" fixes recommended in the audit and do another release later this summer. It might or might not be 100% compatible, depending on issues such as whether we decide to continue compiling the BIOS driver with a 1991 version of Microsoft Visual C.

[disc]

How about installers? Those don't appear to be included in the sources.

Should we update from wxgtk2.8 to wxgtk3.0? I can go either way on that. One recommendation of the audit was to update the tool chain, but they did not say we should update the GUI toolkit.

I don't think they meant the toolkit (they were looking only at the Windows version it seems, which doesn't use wx), and it also depends on how faithful the first release should be to 7.1a? Using wxOSX 3.0 means OS X 10.4 officially isn't supported anymore (not that I would care). Though if it doesn't work fine already then with some tweaking it probably could. Also for GTK-based releases 3.0 could be used of course while OS X could stick to 2.8 for now. It shouldn't be difficult to have the source working both for wx 2.8 and 3.x .

[disc]

How about installers? Those don't appear to be included in the sources.

Correction: ZIP source files contain a Setup directory for the Windows installer.

[spiraldancing]

I also support a fast transition and a quick first release, mainly to establish legitimacy/continuity of the project. But a clean transition is also important. A clean merge with the .ch guys would be much better than competing projects with similar-but-not-quite-identical goals.

I've been following .ch for a week now (didn't even know about ciphershed until today), just happy someone had picked up the ball. I am gradually getting concerned about their skills & commitment, but by-&-large, they do seem to be well-meaning, and mostly aiming for the same kind of project goals as ciphershed.