httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@decus.org (Rodent of Unusual Size)
Subject Re: Digital signatures (was Re: [STATUS] Sun Apr 13 19:08:09 PDT 1997)
Date Thu, 17 Apr 1997 19:50:38 GMT
>From the fingers of sameer flowed the following:
>
>	When signing the dist you have to look at the thret model. If
>you are protecting against someone breaking into taz and inserting a
>security hole, you have to do more than sign the distribution. If you
>are wanting mirror sites to be carrying the rel thing, then signing
>works. If you want to just prevent corruption during the transfer, you
>cna use ssl to distribute the distribution.

    My impression was that the main thrust for now was the second: "None
    authentic without this label."  Particularly since copies of
    binaries are showing up in the oddest places.. and people may think
    we created them.

    I see signing the tarball and the binaries as an appropriate step at
    this point.  I'm willing to assume Brian runs a reasonably secure
    shop (even though he gave me an account ;-)

    #ken    :-)}

Mime
View raw message