I think that it should, in principle, be possible to run BitShares on a completely open source system where the user could theoretically audit the source code of any component. In particular, there should be no closed-source or pre-compiled components in the BitShares toolkit itself. The BitShares Toolkit should allow users to audit every line of code that could potentially gain access to the private keys controlling their funds.
Of course, if some individual user want to make an individual choice based on individual convenience / security tradeoff preferences, they should also be free to choose to trust OS vendors, binary package repos, PPA's, precompiled binaries, etc.
There is a binary blob in the BitShares toolkit source tree at https://github.com/BitShares/bitshares_toolkit/tree/c58b14c6dc923929368022af6c1c54a45b67dc2f/CrashRpt/bin
. This binary blob is apparently used for crash reporting functionality. I requested it to be removed. This request was overruled; see https://github.com/BitShares/bitshares_toolkit/issues/658
. (However, the dependency was made optional in the build.) The issue has not been revisited in approximately two months since then. I'm starting this thread to discuss why it's still there and try to build consensus about how to satisfy the goal of making the source code (in principle) more auditable by (if possible) removing the binary blobs.
What is stopping us from managing this CrashRpt dependency the same way we manage OpenSSL dependency? We don't put precompiled OpenSSL binaries in the source tree. Instead we have DLL's, so's or statically linked libraries that come from somewhere else (the package manager on Ubuntu; I'm not really sure what Windows and Mac do, perhaps they require the user to separately, perhaps manually, download and compile OpenSSL from source?).
What is stopping us from managing this CrashRpt dependency the same way we manage LevelDB dependency? We don't put precompiled LevelDB binaries in the source tree. Instead we have the LevelDB source code in a submodule, and its build is integrated with the main project's build.