Background:Currently, before a new release of Bitcoin-Qt is published to SourceForge, it must be compiled by 3 different people who verify that they have produced the same exact binaries. This is done to protect against a variety of attack vectors: a single builder could include a trojan or backdoor into their binaries. No matter how much this person is trusted, their ability puts them at risk of being forced (eg, by gunpoint or legal action) to do so, or potential to do so accidentally (eg, if their build system is infected itself). Additionally, there is one person to impersonate or man-in-the-middle-attack, and the chance (5-10% in a person's lifetime, according to a quick Google) the person may begin to go insane. It also leaves open a question to the masses should that person die, of whether his successor is just as trustworthy.
However, right now, these thrice-verified builds are only possible for Linux and Windows using the
Gitian framework. So far, Gavin has been personally responsible for the Mac OS X binaries, and he (and the community) incurs all the risks above as a result.
My proposal:I have succeeded in building bitcoind (the JSON-RPC server) for Mac OS X under Gitian, and verified that this build is deterministic (able to be compared with others' builds). In addition to the cross-compiler and dependencies of bitcoind, I have also succeeded in building the dependencies required for Bitcoin-Qt under Gitian - except for Nokia Qt itself. To build Qt, I need to go back to the cross-compiler and figure out how to get the Objective-C compiler working. Then I will need to configure Qt for cross-compiling using it, and ensure the output is deterministic enough to produce a deterministic Bitcoin-Qt build based on it. This is going to be a lot more work, especially since nobody seems to have ever cross-compiled Qt for Mac OS X before.
Therefore, I am asking for donations to help fund completing this effort:
1D8jkYpkcJUQ6BJzjAATAEBjHdgVhvisAVP.S. My work thus far on this specific project is all published
in these Gitorious repositories.