This is the mail archive of the
mailing list for the Cygwin project.
crypto-ranting [Was: [ITP] clamav-0.75.1-1 - A GPL virus scanner]
-----BEGIN PGP SIGNED MESSAGE-----
Brian Dessent wrote:
> Anyone that had sufficient access to the server to modify the binary
> could just insert a modified md5sum as well. Its only useful purpose is
> detecting accidental transmission errors and it does that just fine
> regardless of the "attacks". It's not being used in a cryptographically
> secure manner so it doesn't matter that the algorithm might not be
> cryptographically secure.
Oh, that's a different issue, and that's why I advocate package
mantainers to sign packages (such as I and Volker only do, AFAIK).
Just thinking... could be nice to have a page on cygwin.com with a table
that says the key id that signed script/patch/original package for every
package, so that users could quickly check them... (of course the page
should say only something such as "VALID signature", stating clear that
this doesn't say automatically that it is really the author's key...)
Or even a postinstall check from setup, but this would open the
Pandora's box of personal trust and I guess very little users have a web
of trust extended enough to include most cygwin package mantainers. So
this is pratically impossibile.
Anyway... way too OT to continue here, I fear ^_^""
L a p o L u c h i n i
l a p o @ l a p o . i t
w w w . l a p o . i t /
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----