|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Reflections on Trusting Trust
From: Kris Kennaway (kris
obsecurity.org)
Date: Tue Nov 29 2005 - 17:33:16 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Nov 29, 2005 at 06:27:03PM -0500, Kris Kennaway wrote:
> On Tue, Nov 29, 2005 at 01:36:31PM -0200, aristeu wrote:
> > I'm new here, and I've posted only once. I just want to add my "just
> > another user" opinion on this...
> >
> > Signing security advisories that sends the hashes for a file does a nice
> > job.
> >
> > I think the only problem that exists is the package/ports deployment. I
> > belive we can't trust only on hashes for this (tar already does a fine job
> > on integrity...), because it can be easily circunvented. Maybe trusting
> > this it is the real weakest link...
>
> I'd be happy to work with someone who can implement a solution for the
> package side.
Also, pkg_sign(1) has existed for a long time, but needs the support
infrastructure to make it usable.
Kris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDjOU8Wry0BWjoQKURAkVYAJwPgTppYQakS50yfy1WJ1RqAzwb2ACffmLL
hCER8btPzPW2BBnJN3zHems=
=kYcs
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]