1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Sunday 17 February 2002 01:20, Ali-Reza Anghaie wrote: |
5 |
> equation. And from at least one rip in #gentoo it seems |
6 |
> signing the packages seems silly to some... |
7 |
|
8 |
Not me. Well, signing the tgz-source-packages themselves might |
9 |
be "silly" indeed. But not code/hash signing as such. In my view |
10 |
good security is one of the most important requirements for |
11 |
today's and tomorrow's IT (BTW guess why BillG is talking about |
12 |
"trustworthy computing" suddenly). |
13 |
|
14 |
And theoretically, "revisable" security is one of the biggest |
15 |
advantages of Gentoo compared to other distros/OS'es as people |
16 |
can actually really (re)view all the sources that were used to |
17 |
build their whole system (not counting closed source packages, |
18 |
which are not essential for running Linux in general ;). Thus in |
19 |
theory there is no need for trust (concerning software) in |
20 |
Gentoo. Nevertheless this does not mean we should not care about |
21 |
ebuild/hash signing as people usually do not review all their |
22 |
source code but trust that many others reviewed the parts of it |
23 |
(= that "original" sources have been used, that these sources |
24 |
have been reviewed by their original developers etc.). And |
25 |
that's exactly what ebuild/hash signing would be for. Of course |
26 |
security is never absolute in real-life, but if we can improve |
27 |
it with reasonable effort, we should do so (IMHO). |
28 |
|
29 |
I intend to take a close look at Portage regarding these aspects |
30 |
but it will take some time though. Besides, security is a |
31 |
process, not a product or a piece of software (even if it is a |
32 |
particularly nice one ;). Thus for now I would just kindly ask |
33 |
Gentoo developers for some general "security awareness" (if it |
34 |
is not the case already). |
35 |
|
36 |
Regards |
37 |
|
38 |
Dani |
39 |
|
40 |
- -- |
41 |
...::: Daniel Mettler | http://www.numlock.ch :::.... |
42 |
|
43 |
-----BEGIN PGP SIGNATURE----- |
44 |
Version: GnuPG v1.0.6 (GNU/Linux) |
45 |
Comment: For info see http://www.gnupg.org |
46 |
|
47 |
iD8DBQE8byqhSLYjgrGjnWQRAnZYAJ9rxOVfJfntampG2FRgbsHwSmAgYwCfSy50 |
48 |
Lzhx8hLb7ttT/OT6y0FXhl8= |
49 |
=aQIy |
50 |
-----END PGP SIGNATURE----- |