[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CGI scripts on www.octave.org broken
From: |
Steve Lipa |
Subject: |
Re: CGI scripts on www.octave.org broken |
Date: |
Wed, 31 Mar 2004 17:14:23 -0500 |
User-agent: |
Mutt/1.2.5i |
On Mar 31 Dmitri A. Sergatskov (address@hidden) wrote:
> Steve Lipa wrote:
> > On Mar 31 Dmitri A. Sergatskov (address@hidden) wrote:
> >
> >>Perhaps the easiest thing would be providing MD5 signatures of the uploaded
> >>files
> >>when you announce a new release...
> >>
> >
> >
> > This is nice, but it only provides an indication that the file transfer
> > worked properly, which is probably addressed by FTP or whatever protocol
>
> No. It provides a guarantee that the file you downloaded is the same as the
> file John Eaton had uploaded.
>
Dmitri:
I think you are missing the point here. Let's say the sources are hosted
on a machine named www2.octave.org in pub/octave-source.tar.gz the MD5
sum is in pub/index.html or pub/octave-source.tar.gz.md5. If some hacker
roots www2.octave.org and changes octave-source.tar.gz he can easily change
index.html or octave-source.tar.gz.md5 to reflect the MD5 sum of the modified
code. Anyone downloading the code and checking it against the MD5 sums has
no way of detecting the modification.
If a digital signature is used instead of the MD5 sum the hacker cannot forge
it because he does not have Dr. Eaton's private key, which is on a different,
secure computer possibly not even connected to any network, without users
easily being able to detect it.
Real security is not a just a buzzword. It is actually quite easy to provide
and many many open source packages already do it. I'm amazed that there are
any open source projects that *don't* provide digital signatures given the
fact that you hear about rooted ftp and cvs servers these days.
Steve
--
Steve Lipa
address@hidden
gpg fingerprint = 8B68 77D7 9E09 9991 C97E 25FF 6A12 D2B9 EC7D 66C1
- CGI scripts on www.octave.org broken, David Bateman, 2004/03/31
- CGI scripts on www.octave.org broken, John W. Eaton, 2004/03/31
- Re: CGI scripts on www.octave.org broken, Steve Lipa, 2004/03/31
- Re: CGI scripts on www.octave.org broken, John W. Eaton, 2004/03/31
- Re: CGI scripts on www.octave.org broken, Dmitri A. Sergatskov, 2004/03/31
- Re: CGI scripts on www.octave.org broken, Steve Lipa, 2004/03/31
- Re: CGI scripts on www.octave.org broken, Dmitri A. Sergatskov, 2004/03/31
- Re: CGI scripts on www.octave.org broken,
Steve Lipa <=
- Re: CGI scripts on www.octave.org broken, Dmitri A. Sergatskov, 2004/03/31
- Re: CGI scripts on www.octave.org broken, Steve Lipa, 2004/03/31