Re: CGI scripts on www.octave.org broken

[Steve Lipa]

On Mar 31 Dmitri A. Sergatskov (address@hidden) wrote:
> Steve Lipa wrote:
> 
> 
> > I think you are missing the point here.  Let's say the sources are hosted
> > on a machine named www2.octave.org in pub/octave-source.tar.gz the MD5
> > sum is in pub/index.html or pub/octave-source.tar.gz.md5.   If some hacker
> 
> The checksum is being mailed by John to the list when he announce new release.
> So you (and me and all subscribers) will have a copy of MD5 sum in their 
> mailboxes.
> 

OK. There is a little extra security for people who read the mailing lists,
I will grant you that.   I suspect that the vast majority of the Octave
user base just goes to www.octave.org, downloads the code, and installs it
without ever reading a single post in the mailing list.  And if they read
the post using the mailing list archive, well, it's been rooted too.

The bottom line is that for a price that differs from the price for generating
the MD5 sum infinitesimally, *all* Octave users can be virtually assured that
the code that they are getting from www.octave.org is exactly what Dr. Eaton
wants them to get. 

> >There are some arguments that public key cryptography is not "real security"
> >either, but it is getting off-topic...

If you think you can show that public key cryptography in general and gpg in
particular do not provide "real security" this is an important breakthrough
and I urge you to publish your result.

Steve

-- 

Steve Lipa
address@hidden
gpg fingerprint = 8B68 77D7 9E09 9991 C97E  25FF 6A12 D2B9 EC7D 66C1