Hello Gerd, Wednesday, February 9, 2005, 4:51:39 PM, you wrote:
>> Most people would find the SHA1 file sufficient, the more paranoid among us >> would do GPG. GvE> sorry to intercept, but aren't the updated rule files that you GvE> plan to publish code that is instantly executed as fetched? ... 1) IMO the rules files aren't "executed", but are regex filters (or equivalent) that check for spam. A compromised system might be tweaked to allow more spam through, but should not be zombied. GvE> We've seen breakins at some well respected open source sites GvE> within the last months (e.g. debian). But the damage was minor GvE> because only few people downloaded the malicous code before it GvE> was found and removed. This will be different with an automatic GvE> update system... My point is that if the rules files to be transmitted are automatically compiled from subsidiary rules files, and the GPG signature is applied by an automated system, without a human checking that each and every rule is indeed valid and correct, then there's nothing to stop a breakin from slipping their dirt into one of those subsidiary files, and the automated system will happily sign the corrupted file. If a file goes from system A to B to C to D, the system at D can check A's signature to verify the file wasn't modified by B or C, but if A's signature is automatically applied on system A, there's NO assurance to the quality of the signed file. Am I wrong about this? Bob Menschel
