oss-sec mailing list archives
Re: upstream source code authenticity checking
From: Florian Weimer <fweimer () redhat com>
Date: Fri, 26 Apr 2013 11:49:46 +0200
On 04/25/2013 07:55 AM, Alistair Crooks wrote:
So, all in all, what you have is a digest, signed by someone who knows the key, or who has access to the creds (if any) for the key, or who has found out the key creds, albeit with timestamp info for when the signature took place. I'm not sure what using PGP gains us?
We can tell that the new tarball passed through some of the same steps that the old tarball did. It is better than just downloading it from the same site as before because some middlemen have already demonstrated that they can be unreliable, and the OpenPGP signature cuts them out. (Large source code hosting sites have been compromised, or serve their content exclusively over a mirror network which literally anyone can join.)
Merely looking for key continuity means that we don't have to wonder if "Rodent of Unusual Size" is authorized to spin new releases of Apache httpd.
-- Florian Weimer / Red Hat Product Security Team
Current thread:
- Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking], (continued)
- Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking] Simon McVittie (May 02)
- Re: upstream source code authenticity checking Kurt Seifried (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)
- Re: upstream source code authenticity checking Alan Coopersmith (May 02)
- Re: upstream source code authenticity checking Russ Allbery (May 02)
- Re: upstream source code authenticity checking Josh Bressers (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Marcus Meissner (Apr 26)
- Re: upstream source code authenticity checking nicolas vigier (Apr 25)
- Re: upstream source code authenticity checking Alistair Crooks (Apr 25)
- Re: upstream source code authenticity checking Florian Weimer (Apr 26)
- Re: upstream source code authenticity checking yersinia (Apr 26)
- Re: upstream source code authenticity checking Daniel Kahn Gillmor (May 04)