Jump to content

Talk:VeraCrypt: Difference between revisions

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Line 165: Line 165:


:The dispute is still very much unresolved. My original statement was VeraCrypt is not free and open source software. You certainly have not convinced me otherwise. --[[User:Palosirkka|Palosirkka]] ([[User talk:Palosirkka|talk]]) 22:29, 23 March 2022 (UTC)
:The dispute is still very much unresolved. My original statement was VeraCrypt is not free and open source software. You certainly have not convinced me otherwise. --[[User:Palosirkka|Palosirkka]] ([[User talk:Palosirkka|talk]]) 22:29, 23 March 2022 (UTC)
:I agree that no consensus has been achieved. Your opinion is valuable, but similarly other people's opinions are valuable as well. Article need not be edited in a hurry. Let's wait for some time. I feel it is open source, others may disagree. We need to value everyone's opinion. [[User:Abdul Muhsy|<span style="color: darkgreen">- Abdul Muhsy</span>]] [[User talk:Abdul Muhsy|<span style="color: maroon">talk</span>]] 03:13, 24 March 2022 (UTC)


== Confusing info in the "Physical Security" section and the "Trusted Platform Module" section ==
== Confusing info in the "Physical Security" section and the "Trusted Platform Module" section ==

Revision as of 03:13, 24 March 2022

Keep

Loyd. I am not an expert in any of this including what constitutes an ad. However, as a long time truecrypt user, this article has been very helpful about what to do since Trucrypt is no longer. Thus I feel it should be retained. Loydfoofoo (talk) 20:33, 4 February 2015 (UTC)[reply]

I agree with Loydfoofoo. Pwolverine (talk) 09:34, 7 February 2015 (UTC)[reply]

The VeraCrypt entry in Wikipedia

1) The article does not read like an advertisement to me, and if I've read it correctly is not a commercial product - its not 'for sale' but it is available. Seems to me more like a straightforward & neutral communication of information.

2) It relies too heavily on primary sources? Not sure what other sources it COULD rely on... So unconvinced that this is a valid criticism.

3) Needs additional citations for verification? Frankly I'm not even sure what this means. Verified in what sense? I will say no more since I may well simply expose further my ignorance.

(but - secret private thoughts hmmm... verified... that it exists? that the information is true? that it works? that its produced by the people who claim to be responsible?)

4) Too technical? I'd describe it as admirably concise. I wouldn't claim to fully understand the information given, and am at the opposite end of the 'techno nerd computer geek' spectrum, indeed at the opposite end of the age spectrum that implies.

I have a smart phone - it took me over a month to discover how to accept an incoming call. So, NOT tec savy.

However since the Snowden revelations and with a strong interest in the Bletcheley Park story from WW2 I have tried to educate myself to some degree in this area. More explanation could be given, but it would make it a much longer article. My supposition would be that anyone wishing to understand more about the information given would follow the available links. 86.184.230.77 (talk) 11:31, 8 February 2015 (UTC)[reply]

Problem with speed claims.

We have a quote from a reliable source that doesn't make sense. The quote is

"In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations.

What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said.

While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force. "Effectively, something that might take a month to crack with TrueCrypt might take a year with VeraCrypt," Idrassi said."

Source: [ http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-truecrypt-alternative.html ].

We use this quote in the Security improvements section.

Two problems. First, anyone who has used both knows that the speed difference is not slight. Second, how is doing 327 times more work "10 times harder"?

At [ http://www.theinquirer.net/inquirer/news/2375599/veracrypt-fork-of-truecrypt-tips-up ] the same quote is used, but it is attributed as "On the VeraCrypt website, Idrassi explained". I cannot find the quote on veracrypt.codeplex.com.

I think we should drop the esecurityplanet citation and quote and instead use this one from [ https://veracrypt.codeplex.com/ ]:

"As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.

This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data."

--Guy Macon (talk) 07:43, 7 July 2015 (UTC)[reply]

"it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force" is a really weird statement.

1) PBKDF2 iterations have zero effect on brute force attacks. A brute force attack by definition will iterate over the whole keyspace, so it would be stupid to use PBKDF2 at all when you can just skip the step. The PBKDF2 iterations do increase the difficulity of password guessing though, e.g. dictionary attacks.

2) It makes it sound like the software itself will be brute forced, while in reality the software doesn't matter at all. It's all about the header data.

In light of these shortcomings I removed that part of the quote and replaced it with a simpler "While this makes VeraCrypt slower at opening encrypted partitions, it also makes password guessing based attacks slower."

- KaurKuut (talk) 00:32, 23 November 2015 (UTC)[reply]

Licensing of VeraCrypt

If the license is Apache 2.0, doesn't that make VeraCrypt "Free Software", as opposed to "Source available freeware"?

Yogesh Girikumar 03:17, 10 July 2015 (UTC) — Preceding unsigned comment added by Yogeshg1987 (talkcontribs)

VC includes TC code which is not released under a license recognized by FSF — Preceding unsigned comment added by 79.200.206.4 (talk) 12:45, 1 September 2015 (UTC)[reply]

User:Palosirkka, five days ago, you made an edit that designated the app as "not open-source," saying that "license isn't OSI approved." Now, excuse me, but last time I checked, both OSI and FSF had approved Apache License version 2. VeraCrypt's license is also Apache License v2.[1] Would you kindly care to explain yourself? Waysidesc (talk) 01:40, 17 March 2022 (UTC)[reply]

@Waysidesc: Apache is a free software license, no disagreement there. But as described in VeraCrypt#License_and_source_model, that only covers parts of the software. The rest come with a vanity license that is not free. --Palosirkka (talk) 10:29, 17 March 2022 (UTC)[reply]
That's a rather odd conclusion. I remember reading such things from skeptics who thought TrueCrypt is ineligible for forking and derivative works. And yet, VeraCrypt is the living counterexample. They accept pull requests, so they are open-source. Example: #815. These new contributions have been placed under the Apache License v2. Here; have a look at one of their files: CoreBase.cpp.

Modifications and additions to the original source code (contained in this file) and all other portions of this file are Copyright (c) 2013-2017 IDRIX and are governed by the Apache License 2.0 the full text of which is contained in the file License.txt included in VeraCrypt binary and source code distribution packages.

Overall, it appears VeraCrypt has no inherited the licensing flaws of TrueCrypt. Waysidesc (talk) 23:45, 17 March 2022 (UTC)[reply]
@Waysidesc: Not odd at all and not my conclusion either. You do realize that forking and derivatives don't require someting to be open source? And people also do illegal things every day. Whether vera is illegal or not I do not know or care but I do know it is not open source. Some parts of it certainly are but the whole, including TrueCrypt code is not. --Palosirkka (talk) 08:21, 18 March 2022 (UTC)[reply]
With all due respect, did you even read the article to which you are linking? To wit:
  • It is about TrueCrypt, not VeraCrypt.
  • It predate TrueCrypt License 3.1.
  • Simon Phipps's recommended course of action is exactly what VeraCrypt has done. I quote:

    As OSI director and open source expert Karl Fogel said, "The ideal solution is not to have them remove the words 'open source' from their self-description, but rather for their software to be under an OSI-approved open source license."

Despite all of this, you have opined that it is definitely not open-source! I'm sorry, but may I see the Wikipedia policy that says your opinion is important? Waysidesc (talk) 04:41, 19 March 2022 (UTC)[reply]
Veracrypt is a fork, apparently containing a large amount of Truecrypt code under Truecrypt license. As mentioned in the article, the former Truecrypt license versions were just as far from or even further away from the open source designation. Veracrypt cannot and has not changed the licensing of the Truecrypt parts... The Phipps's quote obviously meant Truecrypt has to change the license, which they have not done. This is getting borderline ridiculous. You seem to desperately want to claim this is open source even the linked article has the president of OSI telling you it is not open source! --Palosirkka (talk) 08:11, 20 March 2022 (UTC)[reply]
Let me rewrite your last sentence with annotations: "You seem to desperately want to claim this [=VeraCrypt] is open source even [though] the linked article has the president of OSI telling you it [=TrueCrypt] is not open source!" Yes, indeed. Also, in the same vein, I believe Nikola Tesla invented the AC power, even though no history book says Isaac Newton did it. Nikola Tesla is not Isaac Newton, VeraCrypt is not TrueCrypt.
VeraCrypt has an FSF-approved, OSI-approved license (Apache License v2), has exposed its source-code, and accepts pull requests from the public. It fulfills all criteria of being both free and open-source. Title 17 of United States Code, Section 106, grants the owner of VeraCrypt copyright the exclusive rights to do or authorize reproducing it, preparing derivative works based on it, and distribute copies of it. Waysidesc (talk) 16:59, 20 March 2022 (UTC)[reply]
Don't go edit the article and especially don't lie about references! Phipps said Truecrypt license IS NOT a free software license, contrary to what you wrote. And don't falsely claim in your edit summary that your edit is based on discussion because it certainly was not... But Veracrypt IS Truecrypt, because it shares code with it. And the Truecrypt license says:
e. You must not change the license terms of This Product in any way (adding any new terms is considered changing the license terms even if the original terms are retained), which means, e.g., that no part of This Product may be put under another license. You must keep intact all the legal notices contained in the source code files. You must include the following items with every copy of Your Product that You make and distribute: a clear and conspicuous notice stating that Your Product or portion(s) thereof is/are governed by this version of the TrueCrypt License, a verbatim copy of this version of the TrueCrypt License (as contained herein), a clear and conspicuous notice containing information about where the included copy of the License can be found, and an appropriate copyright notice.
So the code from Truecrypt will always be under the Truecrypt license, not open source. Hence Veracrypt cannot be open source. You do realize it's not enough if parts of a software package are open source for the whole to be open source? Any amount of code that doesn't qualify taints the whole. --Palosirkka (talk) 06:12, 21 March 2022 (UTC)[reply]
> Don't go edit the article and especially don't lie about references! Phipps said Truecrypt license IS NOT a free software license, contrary to what you wrote.
Look again! I quote: "While it's accurate to describe the software as "free" ... the license is also not a free software license according to the FSF license list"
> And don't falsely claim in your edit summary that your edit is based on discussion because it certainly was not...
You mistake "based on discussion" with "based on agreement". Per your own WP:BRD policy, I can revert you without having ever discussed with you. R comes before D. Out of respect, however, I started a discussion first. But you first refused to get the point and now you are resorting to incivility. Yes, my revert is based on a discussion (even though it doesn't have to be) but not based on an agreement.
> But Veracrypt IS Truecrypt, because it shares code with it. And the Truecrypt license says: ...
And here where you are wrong and pretend not hear me. Title 17 of the United States Code, section 106, empowers TrueCrypt authors to directly authorize IDRIX to fork VeraCrypt under a different license. As far as us, the customers, are concerned, we can choose between Apache License v2 and TrueCrpyt License version 3.0.
Summary of my arguments so far:
  1. Being open-source is not a function of the license. It is a function of accessible source code and open collaboration. VeraCrypt has both. (TrueCrypt didn't.)
  2. VeraCrypt is multi-licensed. One of the options is Apache License version 2. It is an FSF-approved, OSI-approved license. Is it legal? That's not for us to decide. We have no grounds to assume bad faith in IDRIX.
  3. VeraCrypt is multi-licensed. One of the options is TrueCrypt License v3. It is not the license about which Phillip Simmons spoke, That was TrueCrypt License v2. Maybe if Mr. President of OSI should have used fewer weasel words and wrote one of the flaws of the TrueCrypt license in that article.
- Waysidesc (talk) 08:18, 21 March 2022 (UTC)[reply]
You look again... you wrote: Simon Phipps]], director of the OSI, agreed that TrueCrypt license is a [[free software license]] which is a complete and utter lie. He said it is gratis, which does not mean "free software license".
If you have a reference that says Truecrypt did relicense, provide it. I don't believe one exists since Veracrypt lists Truecrypt license...
  1. What you say about the open source definition makes no sense at all. The OSI defines open source, not you or anybody else...
  2. You completely misunderstand the multi-license. NEW PARTS OF THE SOFTWARE are apache and free. THE PARTS FROM TRUECRYPT are as non-free as ever, that's what a fork means.
  3. No version of truecrypt license are OSI certified open source, so completely pointless. --Palosirkka (talk) 11:17, 22 March 2022 (UTC)[reply]
> He said it is gratis, which does not mean "free software license".
In the OSI guideline, all freedoms besides price are part of the open-source concept. As far as OSI is concerned, "free software" and "gratis" are the same thing. They don't recognize freeware vs. free software distinction. That's because OSD is derivation of Debian Free Software Guideline. Naturally, FSF disagrees on many definitions with OSI. Of course, you've changed the context each time it suits you, so, now you yourself are confused. You have even changed the context in your last message. (See below.)
> If you have a reference that says Truecrypt did relicense, provide it.
Open the License.txt and use your browser's search function to find this piece of text: "VeraCrypt is multi-licensed under Apache License 2.0 and"
> What you say about the open source definition makes no sense at all. The OSI defines open source, not you or anybody else...
Pro-OSI bias is against Wikipedia's policy. Per WP:NPOV, the definitions of FSF, DFSG, Microsoft (largest producer of open-source apps in the world), and every other significant entity is also important.
Be that as it may, per Wikipedia's WP:SYNTH policy, I'll take OSI's view into consideration if and when they spoke about VeraCrypt directly.
> You completely misunderstand the multi-license. NEW PARTS OF THE SOFTWARE are apache and free. THE PARTS FROM TRUECRYPT are as non-free as ever, that's what a fork means.
We're talking about "open-source," not "free." See? You changed the context again. Keep this charade up and soon you won't know north from south.
Now, according to the Title 17 of the United States Code, 'a "derivative work" is a work based upon one or more preexisting works, such as a translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, condensation, or any other form in which a work may be recast, transformed, or adapted. A work consisting of editorial revisions, annotations, elaborations, or other modifications, which, as a whole, represent an original work of authorship, is a "derivative work".' VeraCrypt, therefore, is a derivative work. According to section 106 of this title, IDRIX has exclusive rights in this derivative work, but according to section 103, this exclusive right does not extent to per-existing material, i.e. TrueCrypt.
> No version of truecrypt license are OSI certified open source, so completely pointless.
I'm glad you finally agreed on this. So, am I to assume every argument you've made based on OSI's approval is now null and void? Let me guess: Your answer is no. You're going to say something that amounts to "OSI is the king of the world and if the king doesn't approve, you cannot exist."
Somehow, you seem to think VeraCrypt went through the trouble of changing its licensing intending not to make a difference. Waysidesc (talk) 13:13, 22 March 2022 (UTC)[reply]
Skipping your undeeded insults, weird POV and general crazytalk, how exactly is USC relevant here? --Palosirkka (talk) 07:29, 23 March 2022 (UTC)[reply]
LOL. 😂 USC 17 is the Copyright law of the United States. It is the sole law that makes licenses meaningful. Waysidesc (talk) 09:11, 23 March 2022 (UTC)[reply]
And VeraCrypt is French. --Palosirkka (talk) 09:41, 23 March 2022 (UTC)[reply]
The TrueCrypt Foundation is a registered US non-profit organization last filed tax returns in 2010. TrueCrypt was under the protection of the U.S. copyright laws. Did you forget all of your TrueCrypt-based fallacies all of a sudden? Waysidesc (talk) 11:15, 23 March 2022 (UTC)[reply]
We're not talking TrueCrypt but VeraCrypt which is developed by a French entity. Leave the silly attacks aside, please. --Palosirkka (talk) 12:37, 23 March 2022 (UTC)[reply]
Thank you. I agree. Dispute resolved. Waysidesc (talk) 17:13, 23 March 2022 (UTC)[reply]
No, not resolved. So you don't know how VeraCrypt could relicense TrueCrypt code? I still believe they could not. It's OK for you not to know how. Just don't claim to know if you don't. The United States law you proposed earlier doesn't apply in France. Maybe they have a similar clause in French law on derivatives. Maybe not. In case they do it will certainly, just like US law, also note that "protection for a work employing preexisting material in which copyright subsists does not extend to any part of the work in which such material has been used unlawfully" (17 U.S. Code § 103). Unlawfully here being relicensing code originally under a license, like the TrueCrypt license, that states "no part of This Product may be put under another license". As you see, by relicensing, they are in breach of the TrueCrypt license and so infringing TrueCrypt authors' copyright. Which is unlawful. They legally cannot relicense.
There is another TrueCrypt fork, Ciphershed. They wrote in 2015 that they wanted to "transition to an OSI-approved license" but it "involves replacing the code almost entirely". Also, if one looks at their current license, they state very clearly that the new code and old code are under different licenses. --Palosirkka (talk) 22:29, 23 March 2022 (UTC)[reply]

If references are there stating that parts of the software are covered under a vanity license which is chargeable then the issue of free is settled (it is partly free) Then issue is whether it is open source. Does it fail any criteria here [2]? - Abdul Muhsy talk 18:12, 22 March 2022 (UTC)[reply]

We're talking free software here, nothing to do with price. I guess the discussion at this hour boils down to whether VeraCrypt can take TrueCrypt code and relicense it under Apache. --Palosirkka (talk) 07:31, 23 March 2022 (UTC)[reply]
The answer is yes. Title 17 of the United States Code, section 106 enables this transition. But we've already talked about this. Waysidesc (talk) 09:11, 23 March 2022 (UTC)[reply]
@Abdul Muhsy: No. It doesn't. VeraCrypt binaries are now under the Apache License v2, which fulfills all OSD requirements. But you might be asking: What's the point of including the TrueCrypt license? It is simple, really. In the United States, the copyright law is called "Title 17 of the United States Code" or USC 17. This title defines VeraCrypt as a derivative work. In accordance to section 103 of this title (USC 17 § 103) the protection of Apache License v2 does not retrospectively extend back to TrueCrypt. In other words, the old TrueCrypt is still bound by its own license, even if you somehow download its code from the VeraCrypt repo and reconstitute it. Waysidesc (talk) 09:24, 23 March 2022 (UTC)[reply]
OSD requirements have nothing to do with binaries... --Palosirkka (talk) 09:42, 23 March 2022 (UTC)[reply]
Yes, it does. I quote: "The program must include source code, and must allow distribution in source code as well as compiled form." Waysidesc (talk) 11:15, 23 March 2022 (UTC)[reply]
If it passes all the criteria it should be classified as open source. Our article on open source cites this criteria in its second sentence. May I suggest adding the sentence 'VeraCrypt is open source as per the criteria listed by opensource.org'. - Abdul Muhsy talk 13:31, 23 March 2022 (UTC)[reply]

It appears the dispute has finally resolved itself. You can find the essence of disagreement in revision 1078366517, where User:Palosirkka shouted "Veracrypt IS Truecrypt" (sic). That has changed a recently, in revision 1078807536, where he finally conceded that "We're not talking TrueCrypt but VeraCrypt," finally taking back his original statement.

Waysidesc (talk) 17:26, 23 March 2022 (UTC)[reply]

The dispute is still very much unresolved. My original statement was VeraCrypt is not free and open source software. You certainly have not convinced me otherwise. --Palosirkka (talk) 22:29, 23 March 2022 (UTC)[reply]
I agree that no consensus has been achieved. Your opinion is valuable, but similarly other people's opinions are valuable as well. Article need not be edited in a hurry. Let's wait for some time. I feel it is open source, others may disagree. We need to value everyone's opinion. - Abdul Muhsy talk 03:13, 24 March 2022 (UTC)[reply]

Confusing info in the "Physical Security" section and the "Trusted Platform Module" section

Perhaps the information from VeraCrypt is confusing and so it's not the fault of this article, but note that in the "Physical Security" section it's stated that if possession of the computer is lost, an attacker can install a keylogger and compromise the security that way. Ok, fine, but then in the TPM section the same thing is stated and "for that reason TPM will never be supported." Well, that's dumb, but perhaps the conflict here - "we'll support our software, which may be compromised by a certain attack, but we won't support TPM, which may be compromised by the same attack" - could be explained or, if one of these sections has inaccurate info, it could be corrected. I'm reading this and thinking "WTH - are the VeraCrypt developers idiots or is this article somehow in error?" GTGeek88 (talk) 15:48, 28 January 2022 (UTC)[reply]

That section needs to be rewritten. See WP:SOFIXIT.
The main problem is the phrase "such as a hardware keystroke logger" which misses the point of the previous sentence; "if the attacker has physical or administrative access to a computer".
Nothing can save you if you are facing a sophisticated and well-funded attacker (examples: You are Edward Snowden, your computer has military secrets, you have financial info worth billions, or you are the new leader of ISIS) and the attacker has physical access. The attacker can switch your computer with an identical-looking one that looks and acts exactly the same to your eyes.
Most of us are facing threats from attackers who are not willing to break into your room and switch your computer while you sleep. Compromising your PC over the Internet and gaining administrator access is far more likely for most people. As the FAQ says:
"If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer)... The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, "Trusted Platform Module", is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant features is usually a way to create so-called bloatware)."[3]
So the paragraph should be rewritten to make it clear that VeraCrypt is secure against someone with administrator rights but not against someone with physical access, and TPM is not secure in either of those two cases.
13:23, 29 January 2022 (UTC)2600:1700:D0A0:21B0:69AC:5512:473D:30FA (talk)

I tried to modify the TPM section to address this issue. I covered both angles: VeraCrypt's angle and the opposition's angle.

Quite frankly, I did expect some VeraCrypt fan or representative to revert or subvert my edit in a way that looks totally pro-VeraCrypt. It appears our lucky contender is User:Peterl. Peterl entirely removed the opposition's view point and wrote: "Others disagree with this" as if those others are trolls and their opinion is not worth considering. It goes without saying that censoring the valid views of the others is a violation of WP:NPOV that says:

All encyclopedic content on Wikipedia must be written from a neutral point of view (NPOV), which means representing fairly, proportionately, and, as far as possible, without editorial bias, all the significant views that have been published by reliable sources on a topic.

Let's take a look at a couple of highly controversial things that Peterl has wrote in his edit summary:

  • "This is not the place to discuss the purpose or intent of TPM." Funny, because I did the opposite of discussing the intent of TPM and wrote "See 'Trusted Platform Module § Uses' for details."
  • "The discussion over whether that's true or not belongs on the TPM page." WP:NPOV says it belongs to this page exactly. "Not going off topic" is the Internet's general excuse for censoring relevant contents.
  • "The refs left don't adequately cover that 'others disagree with this'." This phrase appears in Peterl's edit, not mine! In fact, my edit states that others partially agree with TrueCrypt devs.

Waysidesc (talk) 01:44, 7 March 2022 (UTC)[reply]

Please avoid attacking or being condescending to the editor, or any editor. It's not helpful and it's not constructive.
So, let's look at the issues at hand:
1. "VeraCrypt does not take advantage of Trusted Platform Module (TPM)." - stated fact
2. "VeraCrypt FAQ repeats the negative opinion of the original TrueCrypt developers verbatim." - stated fact
3. VeraCrypt developers "claim that TPM is entirely redundant" - stated in their doc.
Is TPM redundant? Can it be broken? Is it broken? That's a completely different question. All we have here is the VC devs claim. TPM is used in/by thousands of programs. The VeraCrypt page is not the place to discuss whether TPM is good, redundant, reliable or not; the TPM page is. Are there other developers that think TPM is redundant? Some of those links suggest that, others are glowing about TPM. They belong on the TPM page.
I see that these refs and most of that text has come from the Trusted Platform Module page. It's redundant to have such duplication, because wiki pages for other programs that avoid or have a position against TPM would also need this discussion. I've marked this section
Regarding WP:NPOV: The only fact we can state here is that VC doesn't use TPM, and the VC Devs have their reasons and don't like it. There's nothing debateable or un-NPOV in that. The viewpoints on whether they are right or not belongs on the TPM page.
peterl (talk) 06:11, 7 March 2022 (UTC)[reply]
I'm disinclined to dance around the subject. You made an edit. What was your concern?
I think eliminating the perceived duplication was your concern, even though you tried not to show it in your original edit. I also think you first decided to remove the so-called "duplicate" content, then looked for justification after the fact. Rest assured, however, that your concern is null and void.
Two pages are are in favor this amount of "duplicate" contents:
1. WP:NPOV: If a little repetition is what it takes to ensure "representing fairly, proportionately, and, as far as possible, without editorial bias, all the significant views that have been published by reliable sources on a topic," then so be it. The dismissive way in which you wrote "others disagree" and proceeded to bunch up a few references that don't say such a thing was anything but fair. I could conceive that the next reviewer would remove the statement along with its sources, bitterly condemning me to be hypocrite, even though I was not the one responsible for this misrepresentation.
2. WP:CFORK: "Articles on distinct but related topics may well contain a significant amount of information in common with one another. This does not make either of the two articles a content fork. As an example, clearly Joséphine de Beauharnais will contain a significant amount of information also in Napoleon I of France; this does not make it a fork."
There is a third page that also advocates some content duplication, but it is not directly appropriate for this discussion. It is WP:LEAD. It says the lead section must consist of duplicate into exclusively. Still, I mention it to help you let go of the desire to delete "duplicate" contents. Waysidesc (talk) 05:36, 9 March 2022 (UTC)[reply]
Rookie mistake: revealing your bias in an edit summary then later trying to find a Wikipedia policy that justifies the change.
Waysidesc's edits were correct and this edit[4] by Peterl violates NPOV.
Virtually nobody outside of some obsolete material from the early days of TPM and some marketing material from TPM vendors claims that TPM (or veracrypt for that matter) can protect a computer from an Evil Maid attack by a sophisticated opponent. See:
Note that some of the above attacks only work on older TPM implementations. So of course we are 100% sure that no future attack can possibly work on the TPMs they are shipping now...
--76.216.220.191 (talk) 11:10, 11 March 2022 (UTC)[reply]
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Talk:VeraCrypt&oldid=1078935290"