Re: Reflections on Trusting Trust

看板FB_security作者時間20年前 (2005/11/30 07:36), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串12/36 (看更多)
--bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 29, 2005 at 06:27:03PM -0500, Kris Kennaway wrote: > On Tue, Nov 29, 2005 at 01:36:31PM -0200, aristeu wrote: > > I'm new here, and I've posted only once. I just want to add my "just=20 > > another user" opinion on this... > >=20 > > Signing security advisories that sends the hashes for a file does a nic= e=20 > > job. > >=20 > > I think the only problem that exists is the package/ports deployment. I= =20 > > belive we can't trust only on hashes for this (tar already does a fine = job=20 > > on integrity...), because it can be easily circunvented. Maybe trusting= =20 > > this it is the real weakest link... >=20 > I'd be happy to work with someone who can implement a solution for the > package side. Also, pkg_sign(1) has existed for a long time, but needs the support infrastructure to make it usable. Kris --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDjOU8Wry0BWjoQKURAkVYAJwPgTppYQakS50yfy1WJ1RqAzwb2ACffmLL hCER8btPzPW2BBnJN3zHems= =kYcs -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5--
更多 kris. 的文章
文章代碼(AID): #13ZEOG00 (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 12 之 36 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共36篇)
更多 kris. 的文章
文章代碼(AID): #13ZEOG00 (FB_security)