1 |
On Sun, 07 Nov 2004 11:58:13 -0500 |
2 |
Dan Margolis <dmargoli@××××××××××.edu> wrote: |
3 |
|
4 |
> Actually, kernel.org *does* sign their downloads; their public key is |
5 |
> available on any of the major TTP PGP servers (from which you download |
6 |
> using SSL signed by a trusted CA who's cert you already have installed |
7 |
> from when you got your computer or whatever). Microsoft at the very |
8 |
> least uses SSL of the same nature, but I suspect they also use digital |
9 |
> signatures on each package to provide the same security; I'm sure the |
10 |
> public key was pre-distributed with your computer. |
11 |
|
12 |
They do, but a self-verifying executable, running with administrator |
13 |
privileges is rather pointless. (Of course, the user could right-click and |
14 |
check the properties, but who knows this?) |
15 |
Additionally Microsoft (and probably Redhat) have the advantage of a |
16 |
rather centralised structure. They have tight control over their network |
17 |
and |
18 |
their developers' workstations. |
19 |
OTOH Gentoo's or Debian's developers are spread world-wide, which makes |
20 |
key exchange and evaluation of the security of a developer's personal |
21 |
computer quite difficult. |
22 |
|
23 |
> |
24 |
> RedHat provides the same faculty, based on GPG, with up2date. |
25 |
|
26 |
The questions are: What are they signing? Have they audited the source |
27 |
code from which they built the RPM? What are their guarantees? |
28 |
(The last question was actually non-rethoric ;-) |
29 |
|
30 |
As an example, a few years ago, Microsoft shipped a MSDN CD that contained |
31 |
a virus. It wasn't signed, but had it been, the virus would have been |
32 |
signed as well. |
33 |
|
34 |
> So it's not like we're really far behind the 8 ball here, but this *is* |
35 |
> a possible problem, the fix is well understood and implementable, and |
36 |
> some people do already fix it (and, in my opinion, it would be negligent |
37 |
> not to). |
38 |
|
39 |
I think that improperly used signatures are a dangerous placebo. |
40 |
Developers have to be well aware of how to treat and use their keys. |
41 |
Users have to be thoroughly educated about the meaning of a signature (ie |
42 |
which guarantees it gives and which it cannot give). |
43 |
If this does not happen, there will be a lot of dangerous |
44 |
misunderstanding and - eventually - bad blood. |
45 |
|
46 |
If both - users and developers - are informed, then keys *are* a useful |
47 |
measure that makes operation of mirrors easier and more realiable. |
48 |
But it still does not improve the trust you should have into the software |
49 |
as a whole. |
50 |
|
51 |
Regards |
52 |
|
53 |
-- |
54 |
gentoo-security@g.o mailing list |