| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On Sunday 17 February 2002 01:20, Ali-Reza Anghaie wrote: |
| 5 |
> equation. And from at least one rip in #gentoo it seems |
| 6 |
> signing the packages seems silly to some... |
| 7 |
|
| 8 |
Not me. Well, signing the tgz-source-packages themselves might |
| 9 |
be "silly" indeed. But not code/hash signing as such. In my view |
| 10 |
good security is one of the most important requirements for |
| 11 |
today's and tomorrow's IT (BTW guess why BillG is talking about |
| 12 |
"trustworthy computing" suddenly). |
| 13 |
|
| 14 |
And theoretically, "revisable" security is one of the biggest |
| 15 |
advantages of Gentoo compared to other distros/OS'es as people |
| 16 |
can actually really (re)view all the sources that were used to |
| 17 |
build their whole system (not counting closed source packages, |
| 18 |
which are not essential for running Linux in general ;). Thus in |
| 19 |
theory there is no need for trust (concerning software) in |
| 20 |
Gentoo. Nevertheless this does not mean we should not care about |
| 21 |
ebuild/hash signing as people usually do not review all their |
| 22 |
source code but trust that many others reviewed the parts of it |
| 23 |
(= that "original" sources have been used, that these sources |
| 24 |
have been reviewed by their original developers etc.). And |
| 25 |
that's exactly what ebuild/hash signing would be for. Of course |
| 26 |
security is never absolute in real-life, but if we can improve |
| 27 |
it with reasonable effort, we should do so (IMHO). |
| 28 |
|
| 29 |
I intend to take a close look at Portage regarding these aspects |
| 30 |
but it will take some time though. Besides, security is a |
| 31 |
process, not a product or a piece of software (even if it is a |
| 32 |
particularly nice one ;). Thus for now I would just kindly ask |
| 33 |
Gentoo developers for some general "security awareness" (if it |
| 34 |
is not the case already). |
| 35 |
|
| 36 |
Regards |
| 37 |
|
| 38 |
Dani |
| 39 |
|
| 40 |
- -- |
| 41 |
...::: Daniel Mettler | http://www.numlock.ch :::.... |
| 42 |
|
| 43 |
-----BEGIN PGP SIGNATURE----- |
| 44 |
Version: GnuPG v1.0.6 (GNU/Linux) |
| 45 |
Comment: For info see http://www.gnupg.org |
| 46 |
|
| 47 |
iD8DBQE8byqhSLYjgrGjnWQRAnZYAJ9rxOVfJfntampG2FRgbsHwSmAgYwCfSy50 |
| 48 |
Lzhx8hLb7ttT/OT6y0FXhl8= |
| 49 |
=aQIy |
| 50 |
-----END PGP SIGNATURE----- |
Archives