[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
digital signatures
|
From: |
Steve Lipa |
|
Subject: |
digital signatures |
|
Date: |
Thu, 1 Apr 2004 13:07:32 -0500 |
|
User-agent: |
Mutt/1.2.5i |
On Apr 01 Przemek Klosowski (address@hidden) wrote:
>
> MD5SUM, when it is computed by John on his personal system right after
> generating the binaries, and distributed in a way that does not allow
> for surreptitious modification, are as secure as digital signature.
That's right. The part about being "distributed in a way that does not allow
for surreptitious modification" is the whole problem. Digital signatures
greatly mitigate this problem. That is why everybody with a clue is starting
to use them.
Let's face it, the whole point of rooting the server is to inject trojans
into the code all of the users are downloading. The tiny cost of generating
a digital signature can greatly reduce the chances of this succeeding.
Dr. Eaton and the Octave maintainers have typed hundreds of thousands of
lines of code for the benefit of their user base, for which we are profoundly
thankful. Typing one more line
gpg --sign -b -o octave-2.1.60.tar.gz.sig octave-2.1.60.tar.gz
can provide significant, valuable protection for their product and their
user base. Why not do it?
Steve
--
Steve Lipa
address@hidden
gpg fingerprint = 8B68 77D7 9E09 9991 C97E 25FF 6A12 D2B9 EC7D 66C1