trusting downloaded code (was: [vox-tech] Installing Java)
Rick Moen
rick at linuxmafia.com
Thu Dec 30 23:07:19 PST 2004
Quoting Richard Harke (rharke at earthlink.net):
> For some packages I have downloaded, the signers key is retrieved from
> a different site. I also then check against a key server. This is not
> foolproof but it does make the bad guys job harder. Another factor is
> time. If I use the same sites over again, I may be able to check
> against a key I got some time ago. Presumably, if it would have been
> compromised, it would have been canceled and a new key generated.
Yes, these are both good rules of thumb.
I don't think that best practices[1] on this subject have been written
about, much. It might make a good article.
[1] And I don't mean
http://linuxmafia.com/~rick/lexicon.html#best-practices . ;->
More information about the vox-tech
mailing list