-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hullo folks.
While sitting around waiting for a meeting to start I tinkered a bit
with gpg and what it might give to us. When looking at the recent
problems with Trojans in sources i started to think, that people might
start altering "Makefile" based building systems next. They could
"hack" our cvs, alter the info file so that it downloads a specially
altered version of the source and voilą, many people would be affected
by it. Even though it seems a bit out of the main course of action
right now, it is only the next logical step for versatile black-hats. I
would do it that way and I think I was pretty good at what I was doing
*grins*.
How could this be done.
Well we can sign packages and patches fairly easy, that is not the
issue. We can create armoured (ascii) detached signatures or binary
signatures. Due tot he nature of CVS I would suggest, that we stick to
ascii data and thus use detached, armoured signatures.
However there are a certain issues that come with the setup.
a) The user must have gpg installed to benefit from the added security
b) We have to find a way to create a "Fink" gpg kex for signing
packages. (I will discuss this separately)
c) The user will have to enter the phrase of his private key into some
file and thus the key would exposed UNLESS we find a way to access the
keychain from macos X and store the passphrase there
Signing the packages should be fairly easy it can be done with a commit
script automatically, we simply install expect and a few scripts on the
CVS server and the rest will be handled by the system itself. Thus all
package info and patches which wander into CVS arew automagically
signed and thus authorised by us.
There is a Crypt::GPG but the MCPAN install failed for me in the
dependency for Expect, might be a minor issue, but it did. Maybe one of
you can have a look at that ? (BTW why does expect depend on tcltk? ).
As I said, as soon as I someone manages to install that Crypt::GPG I
will look further into the issue even though it creates yet another
dependency for the user we could "easily sell" it to the that you have
to install certain things for the added benefit of security. We also
push the use of gpg indirectly and that is good for all of us.
Once more, as usual .. Comments ?
- -d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE95guOiW/Ta/pxHPQRAxuaAJwOFi40Oe2PrbFs2axDp5ZA/w2nCQCePPtP
19pDgraQSfB0bpmxSbpp6Pc=
=xneu
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Fink-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/fink-devel
- Re: [Fink-devel] GPG Signing the info file and patches.. David
- Re: [Fink-devel] GPG Signing the info file and patches... Carsten Klapp
- Re: [Fink-devel] GPG Signing the info file and pat... Ben Hines
- [Fink-devel] More on ..GPG Signing the info file a... David
- Re: [Fink-devel] More on ..GPG Signing the inf... Daniel Lord
- Re: [Fink-devel] More on ..GPG Signing the... Xavier HUMBERT
- Re: [Fink-devel] More on ..GPG Signin... Jeremy Erwin
- Re: [Fink-devel] More on ..GPG Si... Daniel Lord
- Re: [Fink-devel] GPG Signing the info file and pat... Max Horn
- Re: [Fink-devel] GPG Signing the info file and patches... Carsten
