[Fink-users] Re: [Fink-devel] More on ..GPG Signing the info file and patches..

[Daniel L. <dm...@ya...>]

All,
What about an opt-in scheme where everything is signed, but users who 
don't care can install it without verification. Sort of like the MD5 
scheme some projects use--you verify the integrity of the software if 
you worry about such things and ignore the signature if you don't. 
Developers would all have a PKI key, sign with their private and the 
installer could optionally verify using their public key. The public 
keys could be retrieved from servers when modules are downloaded. Then 
users have a choice and only those who want the extra security are 
burdened. Unfortunately, all developers have to sign their work to 
accommodate the option, so it is more work for already over-worked 
developers.

Just my $0.02,
Daniel
--
daniellordATtelocityDOTcom                                             
"My  dancing, drinking, and singing weave me the mat
GPG Fingerprint: C59E 59F5 1C63 5CFB 6161  067E FF00 A4E8 684A 16BB    
upon which my soul will sleep in the world of spirits"
                                                                         
                   -- Old Man of Halmahera, Indonesia


On Friday, Nov 29, 2002, at 12:47 US/Pacific, David wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
>
> On Donnerstag, November 28, 2002, at 09:00  Uhr, Carsten Klapp wrote:
>
>> Hi David,
>>
> Hi Carsten
>> I like the idea of signature verification. Better safe now than sorry 
>> later.
>>
> I am very glad to hear that, which makes me think about this even 
> more.  It was pointed out to me in channel, that gpg contains strong 
> cryptography and might not be suited for every country therefore. I 
> admit, that I did not think of this and I shall do my very best to 
> research the matter. Even though I would like to have this security 
> feature optional for now, I am sure we could try and move it to a 
> mandatory status later.
>> I have a few concerns:
>>
>> - Scripts on the server which automatically sign committed info and 
>> patch files wouldn't stop a hacker, no?
>>
> Come to think about it, automatic signing is a bad idea. The whole 
> idea behind the interactive signing process of gpg is to make sure, 
> that the person signing the package or message is really the one the 
> key belongs to, thus the password. It would be possible to either 
> share the secret key between all members or simply provide a central 
> location which has to be protected properly, for signing packages, 
> info and patch files.
>
> I also wonder how the users think about it, after all gpg signing 
> would require additional programs to be installed maybe even 
> additional modules for fink to use gpg properly.
>
> So please, all of you voice your opinion and please excuse the cross 
> post.
>
> - -d
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
>
> iD8DBQE959JwiW/Ta/pxHPQRAyIxAJ0fee1GhTwqVFghpi3Dfvt6eQikqQCgxtd9
> MJRKfzUoHZ9lLkUq56hPKKU=
> =+zlf
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Get the new Palm Tungsten T 
> handheld. Power & Color in a compact size! 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> _______________________________________________
> Fink-devel mailing list
> Fin...@li...
> https://lists.sourceforge.net/lists/listinfo/fink-devel
>
>