On Sat, Nov 29, 2008 at 02:52:53PM -0800, Dave Warren wrote:
> >When I go to the download page for ClamAV at SourceForge,
> >I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
> >is downloaded less than 10% of the time that the source code
> >("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
> >especially for anti-malware software, whose users presumably
> >think about security more than the average SourceForge visitor.
>
> If you can't trust SourceForge for the source, what makes you think you
> can trust the signature file?
Because it's PGP signed. It's not just an md5 hash.
> Anyone in a position to compromise one would almost definitely be able
> to compromise the other.
Sure. But it would be suspect if gpg/pgp says:
Good Signature by Snake Oil <[EMAIL PROTECTED]>.
--
Jan-Pieter Cornet <[EMAIL PROTECTED]>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
