On Mon, 2008-09-22 at 13:42 -0400, Hiram Chirino wrote:
> On Mon, Sep 22, 2008 at 10:12 AM, sebb <[EMAIL PROTECTED]> wrote:
> > On 22/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> >> The only reason I suggested including the sigs in the source distro is
> >> because a source build like Apache ServiceMix depends on hundreds of
> >> third party dependencies.. so an end user would need to end up
> >> trusting LOTs different signatures to get ServiceMix to build.
> >>
> >> It would be easier if the end user could just trust the Apache source
> >> distro and also transitively trust the signatures that we trust for
> >> our dependencies.
> >>
> >
>
> I actually meant to say include the pub key for the dependency in the
> source distro.
How do you validate that the pub key presented to you is genuine? What
you currently proposing is
src-artifact <- signed with A's privkey, validated with A's pubkey
A's pubkey is inside src-artifact.
So you extract the pubkey from the src-artifact and use it to validate
that the src-artifact is really genuine.
(Bonus points for spotting the circle).
Alternative scenario:
bin-artifact <- signed with A's privkey, validated with A's pubkey
A's pubkey is inside src-artifact.
AIUI, you propose to download the src-artifact, extract the pubkey and
validate that the bin-artifact is genuine.
How do you trust that the src-artifact was not tampered with?
Ciao
Henning
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
