On 21/09/2008, Henning Schmiedehausen <[EMAIL PROTECTED]> wrote:
>
> On Sat, 2008-09-20 at 19:52 +0200, Jukka Zitting wrote:
> > HI,
> >
> > On Sat, Sep 20, 2008 at 7:08 PM, Henning Schmiedehausen
> > <[EMAIL PROTECTED]> wrote:
> > > Hiram suggested to put the signatures into the source, which in turn is
> > > also distributed from the repo.
> >
> > It's not. The sources you build come either from svn or from a signed
> > release package.
>
>
> What is a signed release package? If I can compromise the repository and
> change signatures on an artifact, I can also change the signatures and
> contents on a "signed release package". That does not work.
>
> In <[EMAIL PROTECTED]>:
>
> Hiram> How about we include the signatures in the source distros? That
> Hiram> way if you trust your source, then you can trust the dependencies
> Hiram> it downloads.
>
> Sounds pretty clear to me. Your suggestion again requires that the
> verifier goes back to a central, trusted repository (Single point of
> failure)
AIUI, the checksum list will be part of the release, which will be
signed. Therefore it cannot be changed unless the signature is
changed. Validating the signature on the release is an essential part
of the process.
That's no different from validating a standard release.
> and even more, it requires some sort of convention on where and
> how to store these signatures. Does not scale.
However I totally agree with that.
> Folks, if distributed trust was easy, Trust Centers wouldn't make a
> fortune selling signed keys from a central trust source ("Root
> certificate").
>
> Ciao
>
> Henning
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
