Cryptographically signed releases

Marc Lehmann schmorp at schmorp.de
Sat Jan 4 10:58:16 CET 2014


On Fri, Jan 03, 2014 at 10:43:43PM +0200, Alex Efros <powerman at powerman.name> wrote:
> On Fri, Jan 03, 2014 at 08:51:44PM +0100, Marc Lehmann wrote:
> > On Fri, Jan 03, 2014 at 04:35:46PM +0100, Mariska Koch <omgoch at gmail.com> wrote:
> > > Can you distribute your source code (the tar.gz files) via for example https
> > What would the point of https be?
> 
> To make sure sources won't be compromised while downloading using MITM attack.

Well, https can't do that.

> > And that somehow makes it trustworthy? And how would users know that from
> > a signature anyway? Who would be the trust broker for the signature?
> 
> Users will know this signature is from official website, protected by https.

https can't do that.

> This won't protect against government agencies who able to get fake https
> certificate for any website signed by one of hundreds CA trusted by
> major browsers, but for all other cases it should provide assurance to

I think for abyody who didn't live under a rock for the last two years
(security-wise), it should be obvious that this isn't true - you don't
have to be a government agency to get fake certificates at all.

> user what she really downloaded unmodified file from official website.

Which, in itself, isn't that helpful (nobody is interested whether the
file is modified or not, people are interested in whether the contents are
harmful or not).

> If not for real users, this may be useful for distributive developers, to
> minimize chance to occasionally include compromised version of some software.

(What is a distributive developer?)

> Some users (including me) prefer to use https whenever possible for any
> website (and use browser plugins to enforce this), so it's always good
> idea to make _any_ website available using https.

I don't think it is particularly convincing to say that using https is
alwas a good idea because you prefer it :)

> BTW, startssl.com provides https certificates for free.

Interesting, nice to know (but I don't trust any CAs except my own).

> already have this file and don't wanna re-download it. In these cases it's
> always good to have ability to check is this file was modified or not -
> which is usually done using MD5/SHA1 signatures from official website
> (or from webarchived/googlecached version of that site if it's down now).

I think you confuse signatures with checksums. I will consider adding
checksums, thats not a big issue.

> So, https and signatures isn't useless - they really add some value.

I agree.

> So, for me, https+signatures is “nice to have” feature, no more.

Absolutely nothing wrong with that :)

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\




More information about the rxvt-unicode mailing list