On Sat, 2008-09-20 at 19:52 +0200, Jukka Zitting wrote:
> HI,
>
> On Sat, Sep 20, 2008 at 7:08 PM, Henning Schmiedehausen
> <[EMAIL PROTECTED]> wrote:
> > Hiram suggested to put the signatures into the source, which in turn is
> > also distributed from the repo.
>
> It's not. The sources you build come either from svn or from a signed
> release package.
What is a signed release package? If I can compromise the repository and
change signatures on an artifact, I can also change the signatures and
contents on a "signed release package". That does not work.
In <[EMAIL PROTECTED]>:
Hiram> How about we include the signatures in the source distros? That
Hiram> way if you trust your source, then you can trust the dependencies
Hiram> it downloads.
Sounds pretty clear to me. Your suggestion again requires that the
verifier goes back to a central, trusted repository (Single point of
failure) and even more, it requires some sort of convention on where and
how to store these signatures. Does not scale.
Folks, if distributed trust was easy, Trust Centers wouldn't make a
fortune selling signed keys from a central trust source ("Root
certificate").
Ciao
Henning
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
