Cryptographically signed releases
Alexander Huemer
alexander.huemer at xx.vu
Sat Jan 4 14:46:45 CET 2014
On Sat, Jan 04, 2014 at 10:58:16AM +0100, Marc Lehmann wrote:
> On Fri, Jan 03, 2014 at 10:43:43PM +0200, Alex Efros <powerman at powerman.name> wrote:
> > On Fri, Jan 03, 2014 at 08:51:44PM +0100, Marc Lehmann wrote:
> > > On Fri, Jan 03, 2014 at 04:35:46PM +0100, Mariska Koch <omgoch at gmail.com> wrote:
> > > > Can you distribute your source code (the tar.gz files) via for example https
> > > What would the point of https be?
> >
> > To make sure sources won't be compromised while downloading using MITM attack.
>
> Well, https can't do that.
Well, data in a https connection cannot be trivially exchanged with
something else without having the key.
In my opinion that would be the whole point, to prevent trivial attacks.
> > > And that somehow makes it trustworthy? And how would users know that from
> > > a signature anyway? Who would be the trust broker for the signature?
> >
> > Users will know this signature is from official website, protected by https.
>
> https can't do that.
>
> > This won't protect against government agencies who able to get fake https
> > certificate for any website signed by one of hundreds CA trusted by
> > major browsers, but for all other cases it should provide assurance to
>
> I think for abyody who didn't live under a rock for the last two years
> (security-wise), it should be obvious that this isn't true - you don't
> have to be a government agency to get fake certificates at all.
That's correct, but not the point.
> > user what she really downloaded unmodified file from official website.
>
> Which, in itself, isn't that helpful (nobody is interested whether the
> file is modified or not, people are interested in whether the contents are
> harmful or not).
Of course I want to know whether the file I downloaded was modified
during download.
The software being harmful or not by itself is a different story.
> > If not for real users, this may be useful for distributive
> > developers, to minimize chance to occasionally include compromised
> > version of some software.
>
> (What is a distributive developer?)
I am pretty sure what he meant is a package maintainer of a linux
distribution.
> > Some users (including me) prefer to use https whenever possible for any
> > website (and use browser plugins to enforce this), so it's always good
> > idea to make _any_ website available using https.
>
> I don't think it is particularly convincing to say that using https is
> alwas a good idea because you prefer it :)
It is generally a good idea. Or do you have any examples of negative
effects of its usage?
> > BTW, startssl.com provides https certificates for free.
>
> Interesting, nice to know (but I don't trust any CAs except my own).
Yes, there is absolutely no point in trusting some random company.
Kind regards,
-Alex
More information about the rxvt-unicode
mailing list