ehh, I was simplifying to talk practically about the context of this particular case and how it can be improved at lowest cost. Of course I see the value of gpg signing and WOT in general. So without going in further discussion and creating more offtopic - how does the whole discussion answers the questions I raised in my initial email? Is there anything you're interested to do about it, or you just going to throw weird accusations at me, like I'd be the person who had put those silly piped http guidelines on openvas website?
Cheers, Dawid Bałut <https://www.linkedin.com/in/dawidbalut> Founder of InfoSec Remedy <https://infosecremedy.blogspot.com/> Blogger at dawidbalut.blogspot.com 2017-04-11 0:23 GMT+02:00 Reindl Harald <[email protected]>: > > > Am 10.04.2017 um 22:44 schrieb Dawid Bałut: > >> If for shell script you have only one carrier which is the root trusted >> origin, you're eliminating the need for packages signing >> > > nonsense > > once you have the GPG keys you are even able to reject malformed packages > from the "root trusted origin" in case it was compromised > > https://en.wikipedia.org/wiki/Web_of_trust > > if you can't see the value of GPG signing where you have *multiple* > sources to verify the signers key versus a random script with a hash placed > on the same site and so both compromised especially with a idiotic pipe to > a root shell where you don#t do *any* verification i can't help you > > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss >
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
