trusting downloaded code (was: [vox-tech] Installing Java)

Henry House hajhouse at houseag.com
Thu Dec 30 11:10:44 PST 2004


På torsdag, 30 december 2004, skrev Rick Moen:
[...]
> One of the things that downstream package maintainers for distros do for
> you, if they're on the ball at all, is to be at least as alert and
> constructively paranoid and Andrew Brown was.  They're an additional
> check against _both_ quality problems and security compromise, between
> you and various sorts of harm.  You should make use of that protection
> (and other advantages, such as distro-specific patches) preferentially, 
> and be aware of the need to perform personally the same sort of checks
> (e.g., meaningfully verifying PGP signatures and md5sums) and
> distro-specific adjustments, whenever you elect to go outside the
> package system.

I've occasionally speculated that it would be really useful for
distributions to provide a package containing all the public keys used by
upstram maintainers (e.g., kernel.org) to sign releases. There is no
guarantee that when I download Foo Group GmBH's latest tarball and PGP key
from their FTP server, then verify the former against the latter, that I
have not downloaded a compromised tarball AND conpromised PGP key. Thoughts?


-- 
Henry House
+1 530 753 3361 ext. 13
Please don't send me HTML mail! My mail system usually rejects it.
The unintelligible text that may follow is a digital signature.
See <http://hajhouse.org/pgp> to find out how to use it.
My OpenPGP key: <http://hajhouse.org/hajhouse.asc>.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20041230/af154daf/attachment.bin


More information about the vox-tech mailing list