Robert Citek wrote:
I should have posted the last link first. It is a discussion of trust and how this affects both Open Source and Closed Source.
On Monday, Jan 17, 2005, at 15:01 US/Pacific, Jerry wrote:
Peter Torr of Microsoft made* *a* *bog entry entitled "How can I trust Firefox?"
I think this is the bog entry:
http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx
Main points:
1 - you should not trust the http/ftp server because there is no VeriSign cert
2 - you should not trust FireFox because it is not signed.
3 - you should not trust FireFox because 7-Zip gives an error.
4 - you should not trust FireFox because on startup, FireFox displays a blank dialog box.
The rebuttals to the above points:
1 - lack of VeriSign cert can be compensated by signing the package (e.g. zip file)
2 - FireFox is signed: MD5, SHA1, and GPG
3 - faulty download, which was fixed by downloading again
4 - probably a bug in McAffee VirusScan
My take: you shouldn't trust FireFox (nor any other software you download). You should verify with MD5, SHA1, or GPG:
http://bmagyarkuti.blogspot.com/2004/12/validating-your-firefox- installer-file.html
I do have to agree with one of the comments in the blog: software verifying seems to be made by geeks for geeks. But that is something that could be fairly easily overcome. Just my $0.02.
-- Jerry Hubbard [EMAIL PROTECTED]
_______________________________________________
CWE-LUG mailing list
http://www.cwelug.org/ [email protected]
http://lists.firepipe.net/listinfo/cwe-lug
