-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/29/2013 10:56 AM, Michael Stone wrote: > On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote: >> Yes but the whole thing looks weird, on one hand OP wants to include a >> signed jar in the package, on the other hand he says "signature could >> be omitted if quick update is needed"… What's the point having signed >> JAR if unsigned JAR is legitimate too? Either you ban unsigned JARs or >> you don't use signed JAR at all… > > It leaves that decision of whether to run with the unsigned jar up to > the user. I think this is a reasonable solution if it works in practice, > and is similar in concept to what the openssl folks have done for FIPS > validation. > > Mike Stone >
Another idea is that it provides a public record of whether the upstream jar matches the Debian jar, which is guaranteed to be built from source. This could then serve as a verification that the upstream jar did not have code injected into it that is not in the source tarball. One example of a worry of how this might happen is if a governmental agency issues a secret order to implant a back door in said app. .hc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJSH3pGAAoJEJ8P5Yc3S76BTXIP/inFL/bFGLOb6dAWvBwGmjxZ VW++aWVd1tr9YUMR7n6EEcbrswmi6pg2PnezPekijIe/+VyfrL7YrKOGZ+HfAwOX S3XlkrKYs0s/cTQHG6WGEFVWBnbISjQ0MT5YDLea8U/dK8x1tLbbi+ZruC/NDXqS ruJSDSfcPFFHvNNwpqIHLDoTSzLe3iAX7HpLPmWjCzj3Wxtl8UzPElmQ72nlggfH SgNoj0zovnSmUNpd36Uu+CIj5IZZr/Eu6Nrxcw/onKshvl2itSmOqc+SR4cvFvpU P0b4xhzAItnkyfFzNtGxeFQGH/K81Vek1hu0/rblMFbwpPqzL9dMHB/PwIB6hXP8 6gbzGycupGV8ojX/X3QO+ws87Y1YCiiHkcsUcBRa26pRehv815gPZinNDU8GPxgK JTAv8B2cVa/wxyZvCXUMGGjbvJ988/RhkcFh/r3/DEdM6RZ4bjd7z+afSxBvUTFg cR6/7OEGWb926Q3U19NXPLw1bg8B3Yfbm6og6BTtozi6ljNwqVa9Hf29yRLxSp/C U8K5vKt40UkwNi7yd5IKLXYQbTbtRuddU0vV7/ek/hsKZ0xgkZ7a4bnR5U9Ta0DG 8odIhg6mlY3u+iq7rLEbWq5KV2jlJeX5qXRwCWd9CGbRz8upLcSqRxHBtWnggW2R q83YDbYWKqapQ/HWoUpA =W0To -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/521f7a4b.3070...@at.or.at
