How can I trust this project which hosted on sourceforge?

[Anonymous]

1. HOSTING ISSUE
   I want to know the fact that I can trust this (veracrypt@sourceforge) or not.

Veracrypt is active on codeplex.com, and I know it's author's official.
Wikipedia's link pointed to codeplex.
But on "veracrypt.codeplex.com", I can't find anything about sourceforge.

Is this website a fake? If not, please mention this SF project on codeplex.

1. FILE VERIFICATION
   Please post file's "SHA-1" and "SHA-256" to public when uploading.

2. I DON'T TRUST MICROSOFT
   MS had slept with NSA, so I hate it. I always stay away from codeplex, so this SF
   webpage is very useful to me.

However, your code is hosted on codeplex which is owned by Microsoft, there's the
possibility that MS modify your code to open a backdoor when you're sleeping.

Please consider move your project to more open space, such as Github or Bitbucket.

Sincerely,
Anon.

[Mounir IDRASSI]

Hi,

You seem to have missed the fact that I publish the PGP-signatures and hashes of all released files...you should have verified first before posting your message, because if you just go to the downloads pages, you'll see them and I also give the link to the PGP public key on the main page on Sourceforge and Codeplex.

VeraCrypt code is hosted on 4 different locations:

• Github: https://github.com/veracrypt/VeraCrypt
• Bitbucket: https://bitbucket.org/veracrypt/veracrypt
• Codeplex: https://veracrypt.codeplex.com
• Sourceforge: https://sourceforge.net/p/veracrypt

All git repositories are synchronized and their content is checked against each other and against an internal repository. This ensures source code integrity and protects from any attempt to modify the code by an attacker.

Codeplex is the main home page because it offers the best user experience and look-n-feel for most users. Github and Sourceforge are more developer oriented.

All VeraCrypt released (binaries and source) are PGP-signed and they are uploaded to Sourceforge and Codeplex. Moreover, I have put in place a system where a single bundle containing all files is available on 3 locations (Bitbucket, Sourceforge and Codeplex) and the PGP-signature and hashes of this bundle are published in Pastbin and Reddit to protect againt any attempt to temper with this bundle:

• http://pastebin.com/pVmbKnkF
• https://www.reddit.com/r/VeraCrypt/comments/31v978/the_veracrypt_10f2_bundle_file_checksums_and_pgp/

As you can see, VeraCrypt integrity doesn't rely on a single provider, being it Microsoft, Atlassian, Github or Sourceforge. With these safeguards that were put in place, any attempt to temper with VeraCrypt sources or binaries will be detected right away and it will be a huge public image issue for the affect provider.

From your writing, you seem to give more trust to Github and Bitbucket than Codeplex and Sourceforge. All 4 are US based companies and they can be subject to the same pressures or interventions. So for me, they are all equivalent services that generously provide an important hosting service for the Open Source community and like any other public hosting service, the necessary security and integrity safeguards must be put in place to protect the hosted content from being compromised.