I don't know. I don't personally vouch for every last bit of code... Many others contribute to the code.. We cannot establish very much trust in it anyhow, something might have gone into CVS without a CVS mail being generated, the CVS-mail generated might not have been noticed yet, or the change may have been so big that a cvs-mail generated was truncated, or we might have a trojan developer, or my machine might be compromized, or dodo might be - I could only sign a jar file I generated myself, and normally dodo generates the jar. Yes, we could have dodo sign the files automatically, but what if dodo is compromized? Probably a good idea to have some signatures, but I'm not sure what level of trust we could possibly hope to establish...
On Wed, Jan 14, 2004 at 05:10:04AM +0100, Anonymous wrote: > Hi, > > I'm just wondering if you could arrange to upload, for example, a > detached GnuPG signature for the builds you upload to the > freenetproject.org/snapshots/ directory. > > Accidental breakages that cause information leaks is one thing, but > a purposeful trojan could seriously shaft a lot of people, let > alone provide some very bad press. > > It would be straight forward to ./update.sh --check-sigs (after > some hacking) to make sure that someone the person in charge > of your private keys was indeed the person that updated the > .jar. You seem to sign some of your freenet-support posting, > but not all: so let's automate it. :) > > Also, I think a small history of previous builds would be > a good idea. Say 10 with associated .sigs. > freenet-latest.jar be a symlink to the current head or just a copy > if you can do symlinks on that server: it's only ~ 2MB. > > $ NUM=5054 > $ # ant build magic here produces freenet-stable-$NUM.jar > $ gnupg --detach-sign -a freenet-stable-$NUM.jar > $ cp freenet-stable-$NUM.jar freenet-latest.jar > $ cp freenet-stable-$NUM.jar.asc freenet-latest.jar.asc > $ # upload > > Just thought. > > Bye. > > A. FreenetUser. > -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
signature.asc
Description: Digital signature
_______________________________________________ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support