* Michael Stone: > On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote: >>Yes but the whole thing looks weird, on one hand OP wants to include a >>signed jar in the package, on the other hand he says "signature could be >>omitted if quick update is needed"… What's the point having signed JAR >>if unsigned JAR is legitimate too? Either you ban unsigned JARs or you >>don't use signed JAR at all… > > It leaves that decision of whether to run with the unsigned jar up to > the user.
How so? The code that performs the signature check (or reports the failure) relies on bits that we (Debian) ship. It's impossible to bootstrap trust, unless you already trust Debian. Repeatable, fully deterministic builds are certainly interesting (not just because of security or trust issues), but this signature check is rather strange. > I think this is a reasonable solution if it works in > practice, and is similar in concept to what the openssl folks have > done for FIPS validation. That's quite different because those who built the binaries also compute the hashes, and not the OpenSSL folks. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
