[freenet-support] Re: Signatures on builds?

Wed, 14 Jan 2004 12:37:29 -0800 

I don't know. I don't personally vouch for every last bit of code...
Many others contribute to the code.. We cannot establish very much trust
in it anyhow, something might have gone into CVS without a CVS mail
being generated, the CVS-mail generated might not have been noticed yet,
or the change may have been so big that a cvs-mail generated was
truncated, or we might have a trojan developer, or my machine might be
compromized, or dodo might be - I could only sign a jar file I generated
myself, and normally dodo generates the jar. Yes, we could have dodo
sign the files automatically, but what if dodo is compromized? Probably
a good idea to have some signatures, but I'm not sure what level of
trust we could possibly hope to establish...

On Wed, Jan 14, 2004 at 05:10:04AM +0100, Anonymous wrote:
> Hi,
> 
> I'm just wondering if you could arrange to upload, for example, a
> detached GnuPG signature for the builds you upload to the
> freenetproject.org/snapshots/ directory.
> 
> Accidental breakages that cause information leaks is one thing, but
> a purposeful trojan could seriously shaft a lot of people, let
> alone provide some very bad press.
> 
> It would be straight forward to ./update.sh --check-sigs (after
> some hacking) to make sure that someone the person in charge
> of your private keys was indeed the person that updated the
>  .jar.  You seem to sign some of your freenet-support posting,
> but not all: so let's automate it. :)
> 
> Also, I think a small history of previous builds would be
> a good idea.  Say 10 with associated .sigs.
> freenet-latest.jar be a symlink to the current head or just a copy
> if you can do symlinks on that server: it's only ~ 2MB.
> 
>  $ NUM=5054
>  $ # ant build magic here produces freenet-stable-$NUM.jar
>  $ gnupg --detach-sign -a freenet-stable-$NUM.jar
>  $ cp freenet-stable-$NUM.jar freenet-latest.jar
>  $ cp freenet-stable-$NUM.jar.asc freenet-latest.jar.asc
>  $ # upload
> 
> Just thought.
> 
> Bye.
> 
> A. FreenetUser.
> 

-- 
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Support mailing list
[EMAIL PROTECTED]
http://news.gmane.org/gmane.network.freenet.support

Reply via email to