-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/04/14 14:42, Samuli Seppänen wrote:
>
>> On 10/04/14 13:06, Joe Patterson wrote:
>>> Not so much a "confidentiality" benefit as an "integrity"
>>> benefit, to make sure you really are getting your software from
>>> who you think you're getting it from.
>>
>> The only way to truly get that confirmation is by using the
>> signature files, or other signature mechanism (preferably via
>> another channel)
>>
>> Samuli: Maybe our release announcements should be PGP signed,
>> with sha256sums of the files we're releasing? And maybe we
>> should consider a possibility to host at least a copy of the PGP
>> signatures of our files on an external server too? (That should
>> *not* be a mirrored setup, but somehow distributed outside of a
>> public HTTP{,S})
>>
>> <paranoid mode="off"/>
>>
>
> What if we'd put the sha256sums to Git? That would be distributed,
> so any meddling could be detected easily.
Not sure I follow this one. How would that work out? To which git
tree should this information be committed? Or did you mean to have a
separate git tree with PGP/GPG signatures published for each of the
released files? That could actually work, and wouldn't require us to
setup another server anywhere.
But git trees aren't necessarily distributed, it's only distributed in
the moment someone pulls it down to their own systems. And preferably
pushes that info out on a different server. Having 10 forked
signature trees on github isn't really that well distributed. So we
would need to push such a git tree to at least 2-3 non-related sites
(sf.net, github and gitorious?) ... Those being most paranoid should
then be able to pull down all trees into the same local repository
without having any conflicts.
Anyhow, I think we should post those checksums to the mailing list
too, in a signed e-mail. We should really do release announcements
anyway. And since mailing lists being distributed as well, tampering
is not getting easier. That can be a quick check which is easy to do
for most people. Those who want a more thorough check, can grab one
or more of the git trees.
- --
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNGqdQACgkQDC186MBRfrrzdQCeJP1zYxlms+OqCYhp48IXpeuS
SMgAnjurZGOa8FICDct5ye2gNMvTl1bF
=+mpB
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
