https://issues.dlang.org/show_bug.cgi?id=16065
Basile-z changed:
What|Removed |Added
CC|b2.t...@gmx.com |
--
https://issues.dlang.org/show_bug.cgi?id=16065
Basile-z changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #7 from Sobirari Muhomori ---
BTW looks like distribution archives are already signed, see keys at
https://dlang.org/gpg_keys.html
--
https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #6 from Sobirari Muhomori ---
(In reply to James King from comment #5)
> To add to that, PGP signatures must also be delivered over HTTPS
AFAIK, they can be delivered over HTTP just fine. It's a key property of
https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #5 from James King <1...@lwshost.com> ---
PGP signatures work fine for *nix systems, but this requires either compiling
PGP from source for windows, or finding some other distributor of PGP binaries
for windows before you can even run the
https://issues.dlang.org/show_bug.cgi?id=16065
b2.t...@gmx.com changed:
What|Removed |Added
CC||b2.t...@gmx.com
--- Comment #4 from
https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #3 from Sobirari Muhomori ---
A more reliable mechanism would be a PGP signature. If you check against only
one key, it will be equivalent to key pinning. Oh, and the ultimate security is
to build everything
https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #2 from James King <1...@lwshost.com> ---
It would be nice if there was something akin to a "D Language Foundation"
certificate issued by VeriSign or equivalent.
The difficulty and effort required to compromise (or "compromise") both the
https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #1 from Sobirari Muhomori ---
Signature on binaries can be forged in the same way: obtain a valid certificate
with a similar CN and use it.
--
https://issues.dlang.org/show_bug.cgi?id=16065
James King <1...@lwshost.com> changed:
What|Removed |Added
CC||1...@lwshost.com
--
10 matches
Mail list logo