How secure is anything really?

Focus: Musings on dependencies

How do you know the software you use is safe? ElectrumSV is dependent on many open source packages. Most of them hosted on the Python package index. We don’t look at the source code as we upgrade each to a new version, ideally vetting every change made.

Packages as dependencies

Even if we vetted every change that was made to our dependencies, we do not use that source code. We do what everyone else does, in order to live in a real and practical world. We fetch published packages. It is the package any installation of ElectrumSV obtains, that we validate, not the source code the package came from.

Best practices for dependencies

When we build an ElectrumSV binary for release, all the dependencies should be verified. For the Python packages, each download that will be included is hashed — which means that if we get a different file than the one we require, the build process will fail. For other dependencies, we manually retrieve the source code from a commit in the relevant Git repository, which again ensures the source code we obtain must be the source code we require.

Reproducible builds

Electrum Core, and likely also Electron Cash, have put a lot of work into reproducible builds. What this means is that everything about making a build is locked down and adjusted, so that not only is every dependency fixed to a specific version, but the resulting binaries when built should be byte-for-byte identical to those anyone builds using the same process.

Reproducibility and insurance

At this point I am going to go on a minor tangent and wonder how insurable software security would be, within defined conditions.

Final thoughts

Everything is based on trust. We can build better systems that remove the need to trust, if it is worthwhile to do so. But who has time for that.

ElectrumSV developer