Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

cleanvpn.org/airvpn - information & team process discussions (a great, positive example!)

Encouraging best practices in the VPN industry via independent, community-certified verification of clean installers and clean basic service operations. Let's reward the good, and make the bad a little bit less tempting 〰 github repo#cleanVPN
User avatar

Topic Author
Clodo
Posts: 2
Joined: Fri Mar 27, 2015 11:18 pm

cleanvpn.org/airvpn - information & team process discussions (a great, positive example!)

Postby Clodo » Fri Mar 27, 2015 11:23 pm

{split from the main thread, to enable faster access & wider visibility ~admin}
{direct link: cleanvpn.org/airvpn}


We are available to provide any information you need.

Under GitHub we release ALL the source code related to our client: https://github.com/AirVPN/airvpn-client
This include also an additional project used to generate (compilation, packaging, signing) binary deploy files (.zip, .dmg, .tar.gz etc).

In your GitHub, in our section: https://github.com/cryptostorm/cleanvpn ... ter/airvpn there are 3 files.

7za.exe is used by the deploy project to generate .zip files for Windows. Included in GitHub. Never included in final build.
Program.cs is the main source-code of the deploy project. Included in GitHub. Never included in final build.
github-d967f968a967d73050b6f00df5ceb05917ff8f3c7f3803e832bee5eda8037365.js is an unknown file by us. Anyway, our client doesn't use javascript.

As a side note, I would like to underline that few competitors release their client software under GPL.
Can we know why you report the aforementioned files?
It's important to us to block in a timely manner such insinuations.

Thanks.

Clodo - AirVPN developer

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

reply to AirVPN's contribution: suggestions & appreciation

Postby Pattern_Juggled » Wed Apr 01, 2015 8:35 am

Clodo wrote:We are available to provide any information you need.


We'd missed this post, until a member was kind enough to point us towards it. Our apologies for the delay in reply, no disrespect intended.

Under GitHub we release ALL the source code related to our client: https://github.com/AirVPN/airvpn-client
This include also an additional project used to generate (compilation, packaging, signing) binary deploy files (.zip, .dmg, .tar.gz etc).


This is a nice standard, and we have indeed reviewed your repository as a benchmark and example of source publication.

That we take a much more slimmed-down approach to this process should not be surprising, and is entirely congruent with not only our project's general "less is more tendency," but also reflects a vastly slimmed-down client application itself. The lack of extensive second-order helper and deployment components is not indicative of a failure to publish them, but rather of their absence from our build process.

Our version-specific binary releases have traditionally been published here in our forum, along with all relevant hash fingerprints, build details, changelog, and whatnot. We're not averse to migrating some of that to github, but frankly there are security implications involved that have kept us from doing so. Simply put, we don't control github (obviously) and using it as a binary-verification platform creates a single point of subversion failure that is much less the case here in our forum which we administer ourselves on a server we maintain ourselves.

That's said, we've long been moving towards a reproductible build framework for our version deployments - following along behind the excellent work in this space being done by the Tor Project. As our client is minimally bogged-down with extraneous components, this is a much less challenging task than that faced by Tor... even so, we've not yet got it to where it's ready for public presentation. That's something we need to do better at, and we're appreciative of others in the industry chivvying us in that regard.

We differ somewhat from others in the mechanisms we use as benchmarks for code signing and code integrity verification. Frankly, using CA-based code signing resources strikes us as close to parody, given how badly subverted that entire process is. At the same time, raw OpenPGP signatures are close to impossible for 99% of folks to actually verify as genuine given the requirement for command line competence. That's unfortunate, perhaps, but 100% true.

As this subsumes under our KeyChain decentralised authenticity verification framework, it's something we'll publish in more detail via that channel. Suffice to say that we'd like to see binary verification that is not fiendishly difficult for people to use, and that is blockchain-based in terms of posting of validation primitives.

In your GitHub, in our section: https://github.com/cryptostorm/cleanvpn ... ter/airvpn there are 3 files.

7za.exe is used by the deploy project to generate .zip files for Windows. Included in GitHub. Never included in final build.
Program.cs is the main source-code of the deploy project. Included in GitHub. Never included in final build.
github-d967f968a967d73050b6f00df5ceb05917ff8f3c7f3803e832bee5eda8037365.js is an unknown file by us. Anyway, our client doesn't use javascript.


That repository is open to public editing & commits, and is not intended nor adminstered as "our" repository in any meaningful sense. We hope you'll revise, expand upon, and remove files from the stub AirVPN subfolder I created there as a placeholder. If you prefer us to clone over your repository, we could do so... but that seems a little bit heavy for the cleanVPN project flow overall.

Basically, our hope is that you'll use the space in the cleanVPN repository in what ways you prefer to use it so that there's a diversity of approaches and presentations taking place as time goes by. For example, if I've inadvertently cloned in some javascript that has no relevance, by all means rm it & annotate the changelog with exactly that information! The reason I've not published on any of those three files is that they're utterly incomplete, not well-reviewed by anyone for cleanVPN, and basically stuck there as a reminder that the subdirectory could use some fleshing out.

As a side note, I would like to underline that few competitors release their client software under GPL.


This is undeniably true, and perhaps we can create some momentum towards change in that regard. In part, I suspect, some simply aren't familiar with the tools for source publication... it can seem daunting to those new to the process. By providing examples - diverse examples, as I mentioned above - perhaps we can do some "leadership through engaged mentorship" in this regard, and thus encourage constructive evolution in the industry overall.

Can we know why you report the aforementioned files?


Hopefully I've touched on that in sufficient detail above; there's no malicious intent nor intimation in the selection of files there, nor has that ever been suggested by us in anything we've published independently or as part of the cleanVPN process. And to reiterate: the repository is publicly edit-permission set and has been all along. Edit it into something that is useful, and by all means we'll gladly use that as a constructive example to provide to others.

It's important to us to block in a timely manner such insinuations.


Here's a screenshot of the tweet to which you've linked, above:

AirVPNreddit.png


Your concern over insinuation is understandable, given that. We'd neither seen it, nor been made aware of it previously.

I'll submit this reply to our twitter-manning staffer, so there's another direct link into this thread directly connected to that twitter conversation. And we're happy to aggressively publicise any materials or analytic supplement you choose to provide in the repository, or here, or anywhere else to be honest - the best way to overcome whispering innuendo, our experience has suggested, is to shine a bright light of factual data on it.

Again, my personal apology for the delay in seeing this post - and thus in replying. I've set some triggers in these threads to ensure such doesn't take place again.

Regards,

    ~ pj



ps: though I hesitate to point this out as it sounds a bit disingenuous to do so, but you'll find if you check our public statements as shared in twitter and elsewhere that we routinely cite AirVPN as a VPN service that is clearly doing good work and doing it without any sense of fraudulent undertone. This may seem like faint praise, but there's only one other service we mention in similar terms (Mullvad) - out of the vast seas of other entities now littering the VPN landscape. If it's of any benefit, I'll gather up citations to those public mentions to back up this parenthetical comment. Cryptostorm approaches many areas of secure networking from a different direction - and answers resulting questions differently - than does AirVPN (or Mullvad), so it's not that we're aligned in that way. However, we have a high confidence that AirVPN isn't a scam nor ineptly managed... that confidence is all to scarce in the industry nowadays, as I am sure you well understand.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Return to “#cleanVPN ∴ encouraging transparency & clean code in network privacy service”

Who is online

Users browsing this forum: No registered users and 3 guests

Login