Hi,
Paul Millar wrote:
> As an aside: this looks to me like a logical fallacy. If I may rephrase your
> argument:
> 1. Most signed software is from a large code-base (probably true)
> 2. Large code-bases are more likely to have vulnerabilities (probably true)
> 3. Therefore, signed softwar
> Security often involves providing many barriers. There's a tacit assumption
> that none are going to be perfect. A common mantra is "security in depth".
Sure. It's just my professional opinion that a signature on an
application provides no security. Zip, nada. It does give you some
assuranc
Hi Juan,
On Friday 25 July 2008 16:49:34 Juan Lang wrote:
[...]
> > Please, either tell me I'm wrong, or make Wine honest about what it's
> > telling the user.
>
> No, you're not wrong, and this email was my attempt at being honest.
... and your honesty is appreciated!
> I'll point out that ther
> I assume you don't ship signed software. If you did, you might see things
> differently. Unless I've misunderstood, you've made this possible:
>
> 1. I release my software with my digital signature attached
>
> 2. A malware author downloads my software, extracts my certificate, and
> applies
[Juan]
> 2. Wine doesn't actually verify that the signature in the file
> matches the file being checked. Any valid certificate could be put
> into a file, and Wine would accept it.
>
> I don't consider this a serious security flaw
I assume you don't ship signed software. If you did, you migh
Folks, now that there's a bit more code in Wine that "verifies" file
signatures, I wanted to make sure everyone understands its current
limitations.
1. It's only implemented for PE files and .cab files. Windows
supports more formats, of course, notably MSI files (see bug 11759,
http://bugs.wineh