-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Gregory Maxwell had some good ideas along these lines at the san jose
conference. Extending gitian with these kinds of features would be a good
approach.
But I think its worth thinking about attack models. A huge danger with
auto-updating is that
One approach you could use would be to use bitcoin signing on
a list of the build artifacts together with their SHA256 hashes.
If you have a look at the MultiBit release notes you get the
overall idea:
https://multibit.org/releases/multibit-0.5.13/release.txt
Currently these aren't machine read
Indeed. You can hardcode a "distributor" public key in the software,
and client software will only trust signed data from that key. Of
course, the private key for that data is not kept on the server
distributing the signed checksums. Ideally it would be kept offline,
and the couple-times-per-yea
If you want package authentication, you should at least throw in some
digital signing, not just a checksum. With a compromised host, both the
checksum and binaries can be changed undetectably, but if there's a
signature made by a key that is not kept on the host, there's no way to
fake a valid bina
Interesting! I will refrain from digging into QC right now, per Alan's
suggestion. :)
--
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So
For usability purposes, we at Hive would like to have an auto-updater in our
wallet app.
What is a safe way to do this? I understand that Bitcoin-QT lacks such an
updater for security reasons... Has been thought out in more detail since that
decision was made?
We have been toying around with t
6 matches
Mail list logo
