Re: Reflections on Trusting Trust
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Nov 29, 2005 at 01:36:31PM -0200, aristeu wrote:
> I'm new here, and I've posted only once. I just want to add my "just=20
> another user" opinion on this...
>=20
> Signing security advisories that sends the hashes for a file does a nice=
=20
> job.
>=20
> I think the only problem that exists is the package/ports deployment. I=
=20
> belive we can't trust only on hashes for this (tar already does a fine jo=
b=20
> on integrity...), because it can be easily circunvented. Maybe trusting=
=20
> this it is the real weakest link...
I'd be happy to work with someone who can implement a solution for the
package side. The important thing to keep in mind is that packages
are built automatically on many distributed machines. Any solution
for signing packages would therefore need to also be automated,
e.g. signing them automatically when the packages are pulled back from
the build client to server.
Kris
--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDjOPHWry0BWjoQKURAp5aAJ0XVkDRkRHqAoRd8BwSLF3TGbW9OACfXY2q
2AJSefUV4wqflt2F5PgY92c=
=Ylsy
-----END PGP SIGNATURE-----
--EVF5PPMfhYS0aIcm--
討論串 (同標題文章)
完整討論串 (本文為第 11 之 36 篇):