I don't know. I don't personally vouch for every last bit of code...
Many others contribute to the code.. We cannot establish very much trust
in it anyhow, something might have gone into CVS without a CVS mail
being generated, the CVS-mail generated might not have been noticed yet,
or the change may have been so big that a cvs-mail generated was
truncated, or we might have a trojan developer, or my machine might be
compromized, or dodo might be - I could only sign a jar file I generated
myself, and normally dodo generates the jar. Yes, we could have dodo
sign the files automatically, but what if dodo is compromized? Probably
a good idea to have some signatures, but I'm not sure what level of
trust we could possibly hope to establish...
On Wed, Jan 14, 2004 at 05:10:04AM +0100, Anonymous wrote:
> Hi,
>
> I'm just wondering if you could arrange to upload, for example, a
> detached GnuPG signature for the builds you upload to the
> freenetproject.org/snapshots/ directory.
>
> Accidental breakages that cause information leaks is one thing, but
> a purposeful trojan could seriously shaft a lot of people, let
> alone provide some very bad press.
>
> It would be straight forward to ./update.sh --check-sigs (after
> some hacking) to make sure that someone the person in charge
> of your private keys was indeed the person that updated the
> .jar. You seem to sign some of your freenet-support posting,
> but not all: so let's automate it. :)
>
> Also, I think a small history of previous builds would be
> a good idea. Say 10 with associated .sigs.
> freenet-latest.jar be a symlink to the current head or just a copy
> if you can do symlinks on that server: it's only ~ 2MB.
>
> $ NUM=5054
> $ # ant build magic here produces freenet-stable-$NUM.jar
> $ gnupg --detach-sign -a freenet-stable-$NUM.jar
> $ cp freenet-stable-$NUM.jar freenet-latest.jar
> $ cp freenet-stable-$NUM.jar.asc freenet-latest.jar.asc
> $ # upload
>
> Just thought.
>
> Bye.
>
> A. FreenetUser.
>
--
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
signature.asc
Description: Digital signature
___
Support mailing list
[EMAIL PROTECTED]
http://news.gmane.org/gmane.network.freenet.support