It would be very nice if the rpms could be released
with PGP/GPG signatures. It makes automated updating
much easieer and obviously provides assurance of file
integrity.
That has been suggested to me before, but I have always
wondered how
useful it really is from a security point of view. After
all, in order to verify
the PGP signature people would need my public key .. which
they would
get the from the same website that webmin is downloaded
from. So if the
download site was compromised, the key could be too!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It's more complex than that. Your website is not the only
place people get either Webmin RPMs or your PGP/GPG
signature. Your PGP signature should at least be uploaded
to some of the public key servers. Ideally it should also
be signed by other people who can positively identify
you--this means that when your key is uploaded to the key
servers, there are a number of other people who have
verified that the key in fact belongs to you. Also, people
will download your key (either manually from your website or
from a keyserver) and if the signature on a package does not
match, someone will notice.
For the RPMs, some people may make mirrors of your packages
(and now that you're using SourceForge's download server,
your packages are going to mirrors)--this lets them
corroborate that the package downloaded from a mirror is
your authentic package, because it's been signed with the
key retrieved from either your website or your a public key
server.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Logged In: YES
user_id=129364
That has been suggested to me before, but I have always
wondered how
useful it really is from a security point of view. After
all, in order to verify
the PGP signature people would need my public key .. which
they would
get the from the same website that webmin is downloaded
from. So if the
download site was compromised, the key could be too!
Logged In: YES
user_id=4480
It's more complex than that. Your website is not the only
place people get either Webmin RPMs or your PGP/GPG
signature. Your PGP signature should at least be uploaded
to some of the public key servers. Ideally it should also
be signed by other people who can positively identify
you--this means that when your key is uploaded to the key
servers, there are a number of other people who have
verified that the key in fact belongs to you. Also, people
will download your key (either manually from your website or
from a keyserver) and if the signature on a package does not
match, someone will notice.
For the RPMs, some people may make mirrors of your packages
(and now that you're using SourceForge's download server,
your packages are going to mirrors)--this lets them
corroborate that the package downloaded from a mirror is
your authentic package, because it's been signed with the
key retrieved from either your website or your a public key
server.
Logged In: YES
user_id=129364
Ok, I'm convinced .. I've put this on my TODO list.
I should be able to add support for signing updated modules
as well ..