
How 2 SpaceX Alums Are Using Encryption for Good - buu700
http://dcinno.streetwise.co/2016/01/07/spacex-alums-are-offering-encrypted-messaging/
======
castratikron
I'm not sure if it's possible to truly call it secure unless the source code
is publicly available.

~~~
buu700
Absolutely agreed! We haven't gone as far as to make Cyph truly FLOSS, but our
source code is publicly available under the Ms-RSL:
[https://github.com/cyph/cyph](https://github.com/cyph/cyph)

In the near future, we plan to go further than that by releasing a script that
builds the source code locally and computes its hash, then compares that to
the hash of the current production signed package and alerts you if they don't
match. The intention is to make it easily detectable if we ever sign and
deploy code that differs from what's in GitHub, such that any hypothetical
"secret" backdoor would need to be hidden in plain sight right in the revision
control commit log (which we would expect to eventually be caught by an
independent security analyst).

~~~
castratikron
So, essentially, a reproducible build.

~~~
buu700
Yep, exactly. We may need to pin things like TypeScript and minifiers to
specific versions in our local environment's Dockerfile, but otherwise there
should be no issues with other people's machines computing the same packages
and hashes byte-for-byte.

