Re: digital signatures

octave-maintainers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: digital signatures

From:	Paul Kienzle
Subject:	Re: digital signatures
Date:	Thu, 1 Apr 2004 21:18:36 -0500


On Apr 1, 2004, at 1:07 PM, Steve Lipa wrote:

On Apr 01 Przemek Klosowski (address@hidden) wrote:
MD5SUM, when it is computed by John on his personal system right after
generating the binaries, and distributed in a way that does not allow
for surreptitious modification, are as secure as digital signature.
That's right. The part about being "distributed in a way that doesnot allowfor surreptitious modification" is the whole problem. Digitalsignaturesgreatly mitigate this problem. That is why everybody with a clue isstarting
to use them.
Let's face it, the whole point of rooting the server is to injecttrojansinto the code all of the users are downloading. The tiny cost ofgenerating
a digital signature can greatly reduce the chances of this succeeding.
Dr. Eaton and the Octave maintainers have typed hundreds of thousandsoflines of code for the benefit of their user base, for which we areprofoundly
thankful.   Typing one more line

  gpg --sign -b -o octave-2.1.60.tar.gz.sig octave-2.1.60.tar.gz
can provide significant, valuable protection for their product andtheir
user base.  Why not do it?


I'm not sure signatures would help octave-forge much.  Unlike John,

we do not have a private CVS copy which is mirrored publicly.Signatures

will not protect against someone rooting source forge and hacking
code into the octave-forge CVS repository.  And unlike John nobody is
filtering every patch that gets made.

If you have the time and  energy to do so, you are welcome to watch
the changes on every file and sign and distribute your own version of
the package.  I'm happy to put a link on the front page, and the
community can vote with their feet.

Splitting octave-forge into small enough packages that users can
thoroughly examine the code before they use it is another approach.
Etienne had an automatic dependency checker on his site oh
so long ago --- you could resurrect that for octave-forge.

Octave-forge accounts are available for the asking.  If it would
make people feel more comfortable, we could 'age' accounts,
and eliminate those who haven't contributed in the past year.   I'm
not sure that this impacts security much.

We could also raise the barrier to getting new accounts if someone
wants to take the role of editor.  Most contributors submit one or
two things (if that) and disappear, which I understand is the norm
for open source projects (some pithy quote about fools applies to
the rest of us).  Having an editor makes contributing easier and
improves code quality, but it can be a lot of work.  Especially with
a community that is growing exponentially:

http://sourceforge.net/project/stats/index.php?report=months&group_id=2888


All these suggestions require considerably more work than typing
one extra line during build.

Paul Kienzle
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

Re: CGI scripts on www.octave.org broken, Przemek Klosowski, 2004/04/01
- digital signatures, Steve Lipa, 2004/04/01
  - Re: digital signatures, Przemek Klosowski, 2004/04/01
    - Re: digital signatures, Steve Lipa, 2004/04/01
  - Re: digital signatures, Paul Kienzle <=
    - Re: digital signatures, Steve Lipa, 2004/04/02

Prev by Date: f77_exception_encountered
Next by Date: Re: f77_exception_encountered
Previous by thread: Re: digital signatures
Next by thread: Re: digital signatures
Index(es):
- Date
- Thread