Re: CGI scripts on www.octave.org broken

[Steve Lipa]

On Mar 31 Dmitri A. Sergatskov (address@hidden) wrote:
> Steve Lipa wrote:
> > On Mar 31 Dmitri A. Sergatskov (address@hidden) wrote:
> > 
> >>Perhaps the easiest thing would be providing MD5 signatures of the uploaded 
> >>files
> >>when you announce a new release...
> >>
> > 
> > 
> > This is nice, but it only provides an indication that the file transfer
> > worked properly, which is probably addressed by FTP or whatever protocol
> 
> No. It provides a guarantee that the file you downloaded is the same as the
> file John Eaton had uploaded.
> 

Dmitri:

I think you are missing the point here.  Let's say the sources are hosted
on a machine named www2.octave.org in pub/octave-source.tar.gz the MD5
sum is in pub/index.html or pub/octave-source.tar.gz.md5.   If some hacker
roots www2.octave.org and changes octave-source.tar.gz he can easily change
index.html or octave-source.tar.gz.md5 to reflect the MD5 sum of the modified
code.   Anyone downloading the code and checking it against the MD5 sums has
no way of detecting the modification.

If a digital signature is used instead of the MD5 sum the hacker cannot forge
it because he does not have Dr. Eaton's private key, which is on a different,
secure computer possibly not even connected to any network, without users 
easily being able to detect it.

Real security is not a just a buzzword.  It is actually quite easy to provide
and many many open source packages already do it.   I'm amazed that there are
any open source projects that *don't* provide digital signatures given the
fact that you hear about rooted ftp and cvs servers these days.

Steve

-- 

Steve Lipa
address@hidden
gpg fingerprint = 8B68 77D7 9E09 9991 C97E  25FF 6A12 D2B9 EC7D 66C1