Cryptographically signed releases

Alexander Huemer alexander.huemer at xx.vu
Sat Jan 4 14:46:45 CET 2014


On Sat, Jan 04, 2014 at 10:58:16AM +0100, Marc Lehmann wrote:
> On Fri, Jan 03, 2014 at 10:43:43PM +0200, Alex Efros <powerman at powerman.name> wrote:
> > On Fri, Jan 03, 2014 at 08:51:44PM +0100, Marc Lehmann wrote:
> > > On Fri, Jan 03, 2014 at 04:35:46PM +0100, Mariska Koch <omgoch at gmail.com> wrote:
> > > > Can you distribute your source code (the tar.gz files) via for example https
> > > What would the point of https be?
> > 
> > To make sure sources won't be compromised while downloading using MITM attack.
> 
> Well, https can't do that.

Well, data in a https connection cannot be trivially exchanged with 
something else without having the key.
In my opinion that would be the whole point, to prevent trivial attacks.

> > > And that somehow makes it trustworthy? And how would users know that from
> > > a signature anyway? Who would be the trust broker for the signature?
> > 
> > Users will know this signature is from official website, protected by https.
> 
> https can't do that.
> 
> > This won't protect against government agencies who able to get fake https
> > certificate for any website signed by one of hundreds CA trusted by
> > major browsers, but for all other cases it should provide assurance to
> 
> I think for abyody who didn't live under a rock for the last two years
> (security-wise), it should be obvious that this isn't true - you don't
> have to be a government agency to get fake certificates at all.

That's correct, but not the point.

> > user what she really downloaded unmodified file from official website.
> 
> Which, in itself, isn't that helpful (nobody is interested whether the
> file is modified or not, people are interested in whether the contents are
> harmful or not).

Of course I want to know whether the file I downloaded was modified 
during download.
The software being harmful or not by itself is a different story.

> > If not for real users, this may be useful for distributive 
> > developers, to  minimize chance to occasionally include compromised 
> > version of some software.
> 
> (What is a distributive developer?)

I am pretty sure what he meant is a package maintainer of a linux 
distribution.

> > Some users (including me) prefer to use https whenever possible for any
> > website (and use browser plugins to enforce this), so it's always good
> > idea to make _any_ website available using https.
> 
> I don't think it is particularly convincing to say that using https is
> alwas a good idea because you prefer it :)

It is generally a good idea. Or do you have any examples of negative 
effects of its usage?

> > BTW, startssl.com provides https certificates for free.
> 
> Interesting, nice to know (but I don't trust any CAs except my own).

Yes, there is absolutely no point in trusting some random company.

Kind regards,
-Alex




More information about the rxvt-unicode mailing list