Date: Sun, 29 Feb 2004 22:50:19 -0800 (PST) From: tmseck-lists@netcologne.de (Thomas-Martin Seck) To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/63546: ports/security/libprelude - fetch PGP signature Message-ID: <200403010650.i216oJoM090715@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/63546; it has been noted by GNATS. From: tmseck-lists@netcologne.de (Thomas-Martin Seck) To: bug-followup@freebsd.org Cc: Subject: Re: ports/63546: ports/security/libprelude - fetch PGP signature Date: 1 Mar 2004 06:49:38 -0000 * Jason Harris <jharris@widomaker.com> [gmane.os.freebsd.devel.ports.bugs]: > On Sun, Feb 29, 2004 at 10:23:33PM +0100, Oliver Eikemeier wrote: > >> Unfortunate, but I guess we can fix this. I hope I made my point without >> offending you, but blindly downloading and verifying a PGP signature is >> actually *less* secure than the md5 checksum in distinfo, and worse, it >> gives a false sense of security. I agree with you here. > No offense taken - your presumptions about security plague many. This has -- IMO -- nothing to do with security. It is already the (unwritten) maintainer's duty to verify a signed distfile and it is (or really should be) the committer's duty to do the same. The only purpose of an automated check on the user's end would just be a check whether a maintainer/committer was careless or part of a grand "let's trojan FreeBSD" conspiracy.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403010650.i216oJoM090715>