Re: Please sign software with GnuPG

[Peter Wainwright <prw wainpr demon co uk>]

On Sun, 2002-11-03 at 14:13, Tor Lillqvist wrote:
>  > it would be fine if you used a secure model for distributing software
>  > as there is an increasing problem with trojans in hacked versions of
>  > free software.
> 
> I am not a security expert, but:
> 
> It hardly is of much use if I do that when the sources for most of my
> porting effors (the CVS repository at cvs.gnome.org, using normal
> weakly-authenticated (?) pserver CVS access) is not cryptographically
> signed or highly secure? I won't notice if somebody hacks into there
> and plants trojans.
> 
> I.e. the security implementation should cover more phases, not just
> what I compile and build on my machine and put up for downloading.

I agree that a signature on the final version of a package would
give the user a false sense of security. I have recently began to be 
somewhat worried by the possibilty of trojans in open source
software. Maybe we need to start putting some pressure on the upstream
providers - the people who run the CVS repositories - before we
have a really embarrassing event which will blow the "Linux -
more secure than Windows" argument out of the water.

That said, I don't know what the security issues are with CVS.
Is it possible to "sign" CVS checkouts, anyway? And if tarball
releases are obtained from CVS without thorough eyeballing, 
can we trust them.

If CVS is not up to scratch, we may need to think about another
way of maintaining source repositories (how does BitKeeper
compare in this regard?)

A slightly worried Peter Wainwright

> 
> --tml
> 
> 
> _______________________________________________
> gtk-devel-list mailing list
> gtk-devel-list gnome org
> http://mail.gnome.org/mailman/listinfo/gtk-devel-list
-- 
       Home:                           Work:
Email: prw wainpr demon co uk          peter wainwright nrpb org
Fax:   +44-870-0523185                 +44-1235-822656
Web:   http://www.wainpr.demon.co.uk   http://www.nrpb.org