In message <[EMAIL PROTECTED]> Jan Pieter Cornet
<[EMAIL PROTECTED]> was claimed to have wrote:
>On Sat, Nov 29, 2008 at 02:52:53PM -0800, Dave Warren wrote:
>> >When I go to the download page for ClamAV at SourceForge,
>> >I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
>> >is downloaded less than 10% of the time that the source code
>> >("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
>> >especially for anti-malware software, whose users presumably
>> >think about security more than the average SourceForge visitor.
>>
>> If you can't trust SourceForge for the source, what makes you think you
>> can trust the signature file?
>
>Because it's PGP signed. It's not just an md5 hash.
>
>> Anyone in a position to compromise one would almost definitely be able
>> to compromise the other.
>
>Sure. But it would be suspect if gpg/pgp says:
>
>Good Signature by Snake Oil <[EMAIL PROTECTED]>.
True, but you could make it realistic enough to fool most of the people,
most of the time, especially with a readme.txt noting that the new
versions are signed slightly differently.
This sort of thing happens legitimately often enough that there isn't
any real practical way to tell if it's real or not other then to wait a
decent amount of time for the original author to notice and post a
contrary statement.
--
Dave Warren, [EMAIL PROTECTED]
Office: (403) 775-1700 / (888) 300-3480
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
