Clodo wrote:We are available to provide any information you need.
We'd missed this post, until a member was kind enough to point us towards it. Our apologies for the delay in reply, no disrespect intended.
Under GitHub we release ALL the source code related to our client: https://github.com/AirVPN/airvpn-client
This include also an additional project used to generate (compilation, packaging, signing) binary deploy files (.zip, .dmg, .tar.gz etc).
This is a nice standard, and we have indeed reviewed your repository as a benchmark and example of source publication.
That we take a much more slimmed-down approach to this process should not be surprising, and is entirely congruent with not only our project's general "less is more tendency," but also reflects a vastly slimmed-down client application itself. The lack of extensive second-order helper and deployment components is not indicative of a failure to publish them, but rather of their absence from our build process.
Our version-specific binary releases have traditionally been published here in our forum, along with all relevant hash fingerprints, build details, changelog, and whatnot. We're not averse to migrating some of that to github, but frankly there are security implications involved that have kept us from doing so. Simply put, we don't control github (obviously) and using it as a binary-verification platform creates a single point of subversion failure that is much less the case here in our forum which we administer ourselves on a server we maintain ourselves.
That's said, we've long been moving towards a reproductible build framework for our version deployments - following along behind the excellent work in this space being done by the Tor Project. As our client is minimally bogged-down with extraneous components, this is a much less challenging task than that faced by Tor... even so, we've not yet got it to where it's ready for public presentation. That's something we need to do better at, and we're appreciative of others in the industry chivvying us in that regard.
We differ somewhat from others in the mechanisms we use as benchmarks for code signing and code integrity verification. Frankly, using CA-based code signing resources strikes us as close to parody, given how badly subverted that entire process is. At the same time, raw OpenPGP signatures are close to impossible for 99% of folks to actually verify as genuine given the requirement for command line competence. That's unfortunate, perhaps, but 100% true.
As this subsumes under our KeyChain
decentralised authenticity verification framework, it's something we'll publish in more detail via that channel. Suffice to say that we'd like to see binary verification that is not fiendishly difficult for people to use, and that is blockchain-based in terms of posting of validation primitives.
In your GitHub, in our section: https://github.com/cryptostorm/cleanvpn ... ter/airvpn
there are 3 files.7za.exe
is used by the deploy project to generate .zip files for Windows. Included in GitHub. Never included in final build.Program.cs
is the main source-code of the deploy project. Included in GitHub. Never included in final build.github-d967f968a967d73050b6f00df5ceb05917ff8f3c7f3803e832bee5eda8037365.js
That repository is open to public editing & commits, and is not intended nor adminstered as "our" repository in any meaningful sense. We hope you'll revise, expand upon, and remove files from the stub AirVPN subfolder I created there as a placeholder. If you prefer us to clone over your repository, we could do so... but that seems a little bit heavy for the cleanVPN project flow overall.
As a side note, I would like to underline that few competitors release their client software under GPL.
This is undeniably true, and perhaps we can create some momentum towards change in that regard. In part, I suspect, some simply aren't familiar with the tools for source publication... it can seem daunting to those new to the process. By providing examples - diverse examples, as I mentioned above - perhaps we can do some "leadership through engaged mentorship" in this regard, and thus encourage constructive evolution in the industry overall.
Can we know why you report the aforementioned files?
Hopefully I've touched on that in sufficient detail above; there's no malicious intent nor intimation in the selection of files there, nor has that ever been suggested by us in anything we've published independently or as part of the cleanVPN process. And to reiterate: the repository is publicly edit-permission set and has been all along. Edit it into something that is useful, and by all means we'll gladly use that as a constructive example to provide to others.
Here's a screenshot of the tweet to which you've linked, above:
Your concern over insinuation is understandable, given that. We'd neither seen it, nor been made aware of it previously.
I'll submit this reply to our twitter-manning staffer, so there's another direct link into this thread directly connected to that twitter conversation. And we're happy to aggressively publicise any materials or analytic supplement you choose to provide in the repository, or here, or anywhere else to be honest - the best way to overcome whispering innuendo, our experience has suggested, is to shine a bright light of factual data on it.
Again, my personal apology for the delay in seeing this post - and thus in replying. I've set some triggers in these threads to ensure such doesn't take place again.
: though I hesitate to point this out as it sounds a bit disingenuous to do so, but you'll find if you check our public statements as shared in twitter and elsewhere that we routinely cite AirVPN as a VPN service that is clearly doing good work and doing it without any sense of fraudulent undertone. This may seem like faint praise, but there's only one other service we mention in similar terms (Mullvad) - out of the vast seas of other entities now littering the VPN landscape. If it's of any benefit, I'll gather up citations to those public mentions to back up this parenthetical comment. Cryptostorm approaches many areas of secure networking from a different direction - and answers resulting questions differently - than does AirVPN (or Mullvad), so it's not that we're aligned in that way. However, we have a high confidence that AirVPN isn't a scam nor ineptly managed... that confidence is all to scarce in the industry nowadays, as I am sure you well understand.