This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

crypto-ranting [Was: [ITP] clamav-0.75.1-1 - A GPL virus scanner]

Hash: SHA1

Brian Dessent wrote:
> Anyone that had sufficient access to the server to modify the binary
> could just insert a modified md5sum as well.  Its only useful purpose is
> detecting accidental transmission errors and it does that just fine
> regardless of the "attacks".  It's not being used in a cryptographically
> secure manner so it doesn't matter that the algorithm might not be
> cryptographically secure.

Oh, that's a different issue, and that's why I advocate package
mantainers to sign packages (such as I and Volker only do, AFAIK).

Just thinking... could be nice to have a page on with a table
that says the key id that signed script/patch/original package for every
package, so that users could quickly check them... (of course the page
should say only something such as "VALID signature", stating clear that
this doesn't say automatically that it is really the author's key...)

Or even a postinstall check from setup, but this would open the
Pandora's box of personal trust and I guess very little users have a web
of trust extended enough to include most cygwin package mantainers. So
this is pratically impossibile.

Anyway... way too OT to continue here, I fear ^_^""

- --
L a p o   L u c h i n i
l a p o @ l a p o . i t
w w w . l a p o . i t /
Version: GnuPG v1.2.4 (Cygwin)
Comment: Using GnuPG with Thunderbird -


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]