Re: Signature for Source code

[Russell Simpkins]

Tim,

If that's your concern - wouldn't it be smarter to run the source code through your own source code analysis tool before running it in a safe environment to verify it's secure/safe? Then if it works you can install it in development, then staging before pushing the code to your production environment.

Russ

On Wed, Apr 27, 2016 at 8:57 AM, <address@hidden> wrote:

Hi Martin,

yes, I know, but what if someone was able to break into the download server? He/she could put a malicious monit source code there and of course also change the checksum file. So from a security point of view, it would be useful to be able to verify the authenticity and integrity of a program by verifying the signature of it before installing it into production.

Regards
Tim


>>Hi Tim,

>>we distribute an sha256 checksum with each source code and binary release, you
>>can check the archive consistency using a checksum:
>>https://mmonit.com/monit/dist/

>>Regards,
>>Martin

> On 26 Apr 2016, at 16:28, address@hidden wrote:
>
>  Hi,
>
> I would really appreciate a digital signature for the monit source code for
> security reasons, so I can be sure it hasn't been tampered with by someone.
>
> Regards
> Tim
>
>
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general




--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general