This is the mail archive of the cygwin-apps@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

crypto-ranting [Was: [ITP] clamav-0.75.1-1 - A GPL virus scanner]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Dessent wrote:
> Anyone that had sufficient access to the server to modify the binary
> could just insert a modified md5sum as well.  Its only useful purpose is
> detecting accidental transmission errors and it does that just fine
> regardless of the "attacks".  It's not being used in a cryptographically
> secure manner so it doesn't matter that the algorithm might not be
> cryptographically secure.

Oh, that's a different issue, and that's why I advocate package
mantainers to sign packages (such as I and Volker only do, AFAIK).

Just thinking... could be nice to have a page on cygwin.com with a table
that says the key id that signed script/patch/original package for every
package, so that users could quickly check them... (of course the page
should say only something such as "VALID signature", stating clear that
this doesn't say automatically that it is really the author's key...)

Or even a postinstall check from setup, but this would open the
Pandora's box of personal trust and I guess very little users have a web
of trust extended enough to include most cygwin package mantainers. So
this is pratically impossibile.

Anyway... way too OT to continue here, I fear ^_^""

- --
L a p o   L u c h i n i
l a p o @ l a p o . i t
w w w . l a p o . i t /
http://www.megatokyo.it
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iEYEARECAAYFAkFZU6cACgkQaJiCLMjyUvtiJwCfZCwVx5LurM93gI+HBtB478Kx
kUMAoLBd9Hr38gILv7QZIYJe8NY2qOxo
=S6pl
-----END PGP SIGNATURE-----


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]