Re: Please sign software with GnuPG

From: Sander Vesik <Sander Vesik Sun COM>
To: Peter Wainwright <prw wainpr demon co uk>
Cc: Tor Lillqvist <tml iki fi>, Per Tunedal <pt radvis nu>, gtk-devel-list gnome org
Subject: Re: Please sign software with GnuPG
Date: Sun, 3 Nov 2002 17:50:13 +0000 (GMT)

On 3 Nov 2002, Peter Wainwright wrote:

> On Sun, 2002-11-03 at 14:13, Tor Lillqvist wrote:
> >  > it would be fine if you used a secure model for distributing software
> >  > as there is an increasing problem with trojans in hacked versions of
> >  > free software.
> > 
> > I am not a security expert, but:
> > 
> > It hardly is of much use if I do that when the sources for most of my
> > porting effors (the CVS repository at cvs.gnome.org, using normal
> > weakly-authenticated (?) pserver CVS access) is not cryptographically
> > signed or highly secure? I won't notice if somebody hacks into there
> > and plants trojans.
> > 
> > I.e. the security implementation should cover more phases, not just
> > what I compile and build on my machine and put up for downloading.
> 
> I agree that a signature on the final version of a package would
> give the user a false sense of security. I have recently began to be 
> somewhat worried by the possibilty of trojans in open source
> software. Maybe we need to start putting some pressure on the upstream
> providers - the people who run the CVS repositories - before we
> have a really embarrassing event which will blow the "Linux -
> more secure than Windows" argument out of the water.
> 
> That said, I don't know what the security issues are with CVS.
> Is it possible to "sign" CVS checkouts, anyway? And if tarball
> releases are obtained from CVS without thorough eyeballing, 
> can we trust them.
> 

The first step would be to make sure that cvs access happened securely
over ssh so that you would know that what you just checked out did
actually come from gnome cvs and that all the snoopers at the intermediate
10+ hops won't see your password go by all the time.

> If CVS is not up to scratch, we may need to think about another
> way of maintaining source repositories (how does BitKeeper
> compare in this regard?)
> 

there isn't an intrisic problem with cvs in this regard.

> A slightly worried Peter Wainwright
> 
> -- 
>        Home:                           Work:
> Email: prw wainpr demon co uk          peter wainwright nrpb org
> Fax:   +44-870-0523185                 +44-1235-822656
> Web:   http://www.wainpr.demon.co.uk   http://www.nrpb.org
> 

	Sander

	There are voices in the street,
	And the sound of running feet,
	And they whisper the word --
	Revolution!

References:
- Re: Please sign software with GnuPG
  - From: Peter Wainwright

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]