Am 11.03.2009 um 12:29 schrieb DM Smith:
On Mar 11, 2009, at 5:04 AM, Peter von Kaehne wrote:
One of the problems which has come up again and again when discussing
with publishers has been the worry that texts which are released to
CrossWire become an easy target for abuse - either commercial abuse
with
texts of some commercial importance or, more worrying to me at
least -
manipulation of texts by cults and other entities.
What possible solutions could we offer to provide text encryption and
integrity checking in a plausible way which would not violate GPL and
goes beyond our current practice of simply incorporating a key into
the
conf files?
This is a serious and important question. I am aware of several texts
which we did not get or where people hesitate because this is not
possible right now.
I wonder if signing is heavier than necessary? Part of signing that
is not widely appreciated is that unless a signature is validated by
a signing authority, it does not mean much. That is generally,
pretty costly. Perhaps a simple checksum kept in the conf would be
sufficient?
Yes, I think it would be enough to make sure the module data came from
CrossWire when downloaded.
However the checksum is easier to manipulate than a signature.
Manfred
_______________________________________________
sword-devel mailing list: [email protected]
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
