On Fri, Nov 15, 2002 at 08:42:12AM -0600, GeckoX wrote: > It seems that the main question about distributing the freenet jar is this: how do >people who install these know > they're not trojan versions? The same applies to the seednodes, which cannot be signed centrally because the whole point is to have locally generated ones. If all your seednodes are compromized, you are stuffed. But central distribution of seednodes distorts the network and doesn't buy much security (since the attacker only has to go to the central seednodes to see whom he needs to attack). The same applies to the scripts, and the windows installer, which change infrequently and therefore _could_ be multiply signed. Major releases (0.5.0, 0.5.1...) could be signed, with marginal trust i.e. "I haven't seen any evil CVS commits but I haven't inspected everything manually", IF there was a revocation mechanism. > > Are the .jar files going to be gpg signed with the public key and fingerprint >available on the website, or what > other authenticating mechanism is planned? Unfortunately, he may have a point here. The problem, as has been discussed, is that any signing key can be compromized and therefore needs a reliable revocation mechanism. > > Thanks. > :GeckoX > > > ++ 14/11/02 14:51 -0800 - Ian Clarke: > >On Thu, Nov 14, 2002 at 05:39:43PM -0500, Michael Wiktowy wrote: > >> Ian, could you give an executive summary describing the current > >> implementation of the distribution servlet and how it is superior to > >> or different than just having a SSK containing the latest freenet build? > > > >The idea is to allow people to conveniently give copies of Freenet to > >their friends by giving them a URL to visit, which will point to a page > >on their Freenet node from which they can download and install a copy of > >Freenet. > > > >This will provide a decentralized way to distribute Freenet, in addition > >to the current centralized (and therefore vulnerable) mechanism - namely > >downloading the code from our website. > > > >Ian. > > > >-- > >Ian Clarke ian@[freenetproject.org|locut.us|cematics.com] > >Latest Project http://cematics.com/kanzi > >Personal Homepage http://locut.us/ > > > > _______________________________________________ > devl mailing list > [EMAIL PROTECTED] > http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl >
-- Matthew Toseland [EMAIL PROTECTED] [EMAIL PROTECTED] Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/
msg05440/pgp00000.pgp
Description: PGP signature
