On Wed, Dec 23, 2015 at 12:29 AM, Neil Van Dyke <[email protected]> wrote:
> (BTW, "Xc*d*Gh*st" [...] is relevant to distributions of core Racket. > However, [...] HTTPS of course wouldn't have helped the developers, if the > downloadable software was already compromised on the server. > (XcodeGhost highlights the importance of code signing or validating the checksum of an insecure download—e.g. one retrieved over http, or from an unofficial mirror—against a securely-retrieved official checksum. If the developers in China had run "codesign -dv" on their download before trusting it, it could have caught this. In general, the more software installation tools and operating systems can automatically enforce protections like these, the better. - https://wiki.debian.org/SecureApt - https://en.wikipedia.org/wiki/Gatekeeper_(OS_X) - https://wiki.mozilla.org/Add-ons/Extension_Signing - etc. ) -- You received this message because you are subscribed to the Google Groups "Racket Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/CANwREeVRfMBYgX%2B%3Dp8ZuAV%2B%2BWUoWVW1kRaqwAK5hevZOhB8nGg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
