Hi! On Wed, Dec 05, 2007 at 06:46:15PM -0500, STeve Andre' wrote: >[...]
>You know, you're descending into a recursive loop of "if, if, if..." and >it never ends. OF COURSE if someone breaks into the site they could >do things--once you've lost control of your site all bets are off. I dare >say that someone breaking into a site might find all the appropriate >tools to re-sign things, too, and do the spoof that way. If I released code with cryptographic signatures, I'd not leave a secret key file, nor a passphrase on the servers with the master web/ftp site. I'd sign on a box you can't access from the master site (nor the mirrors). So, no, the attacker would *not* gain access to signing tools (ok, yes, the tools, perhaps, like gpg or openssl, but not the key material). >--STeve Andre' Kind regards, Hannah.
