l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2004 Dec 30 11:34

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
trusting downloaded code (was: [vox-tech] Installing Java)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

trusting downloaded code (was: [vox-tech] Installing Java)



På torsdag, 30 december 2004, skrev Rick Moen:
[...]
> One of the things that downstream package maintainers for distros do for
> you, if they're on the ball at all, is to be at least as alert and
> constructively paranoid and Andrew Brown was.  They're an additional
> check against _both_ quality problems and security compromise, between
> you and various sorts of harm.  You should make use of that protection
> (and other advantages, such as distro-specific patches) preferentially, 
> and be aware of the need to perform personally the same sort of checks
> (e.g., meaningfully verifying PGP signatures and md5sums) and
> distro-specific adjustments, whenever you elect to go outside the
> package system.

I've occasionally speculated that it would be really useful for
distributions to provide a package containing all the public keys used by
upstram maintainers (e.g., kernel.org) to sign releases. There is no
guarantee that when I download Foo Group GmBH's latest tarball and PGP key
from their FTP server, then verify the former against the latter, that I
have not downloaded a compromised tarball AND conpromised PGP key. Thoughts?


-- 
Henry House
+1 530 753 3361 ext. 13
Please don't send me HTML mail! My mail system usually rejects it.
The unintelligible text that may follow is a digital signature.
See <http://hajhouse.org/pgp> to find out how to use it.
My OpenPGP key: <http://hajhouse.org/hajhouse.asc>.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.