Oh, sorry, basing on your tone I thought you're a maintainer who resists making a change to the guides as it went quite offtopic.
Good for you and great to hear that you're so security aware. However, there are lots of people out there who blindly copy and absorb bad practices and this is the audience I want to protect. Cheers, Dawid Bałut <https://www.linkedin.com/in/dawidbalut> Founder of InfoSec Remedy <https://infosecremedy.blogspot.com/> Blogger at dawidbalut.blogspot.com 2017-04-11 10:30 GMT+02:00 Reindl Harald <[email protected]>: > > > Am 11.04.2017 um 00:44 schrieb Dawid Bałut: > >> ehh, I was simplifying to talk practically about the context of this >> particular case and how it can be improved at lowest cost. Of course I see >> the value of gpg signing and WOT in general. >> So without going in further discussion and creating more offtopic - how >> does the whole discussion answers the questions I raised in my initial >> email? >> Is there anything you're interested to do about it, or you just going to >> throw weird accusations at me, like I'd be the person who had put those >> silly piped http guidelines on openvas website? >> > > what should i do about it as "ordianry user" which was never so stupid > follow wrong advises blindly because when i operate a server it's my > natural job not doing copy&paste from somewhere without consider what i am > doing and looking at the length of this script the answer is "it's > impossible that i understand completly what it does and so i grab the > release-rpm and if that's not enough the whole source is not worth to be > used" > > 2017-04-11 0:23 GMT+02:00 Reindl Harald <[email protected] <mailto: >> [email protected]>>: >> >> >> >> Am 10.04.2017 um 22:44 schrieb Dawid Bałut: >> >> If for shell script you have only one carrier which is the root >> trusted origin, you're eliminating the need for packages signing >> >> >> nonsense >> >> once you have the GPG keys you are even able to reject malformed >> packages from the "root trusted origin" in case it was compromised >> >> https://en.wikipedia.org/wiki/Web_of_trust >> <https://en.wikipedia.org/wiki/Web_of_trust> >> >> if you can't see the value of GPG signing where you have *multiple* >> sources to verify the signers key versus a random script with a hash >> placed on the same site and so both compromised especially with a >> idiotic pipe to a root shell where you don#t do *any* verification i >> can't help you >> >> _______________________________________________ >> Openvas-discuss mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/o >> penvas-discuss >> <https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/ >> openvas-discuss> >> >> >> > -- > > Reindl Harald > the lounge interactive design GmbH > A-1060 Vienna, Hofmühlgasse 17 > CTO / CISO / Software-Development > m: +43 676 40 221 40 > p: +43 1 595 3999 33 > http://www.thelounge.net/ > > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss >
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
