Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Alan Coopersmith <alan.coopersmith-QHcLZuEGTsvQT0dZR+AlfA <at> public.gmane.org>
Subject: Re: upstream source code authenticity checking
Newsgroups: gmane.comp.security.oss.general
Date: Sunday 21st April 2013 17:05:53 UTC (over 4 years ago)
On 04/20/13 01:39 PM, Solar Designer wrote:
> I just found this recent blog post by Allan McRae of Arch Linux:
>
> http://allanmcrae.com/2012/04/how-secure-is-the-source-code/
>
> Thank you for doing this, Allan!  Are you contacting the upstream
> authors to request that they start to properly sign their releases?
> (I've been doing that on some occasions, sometimes with success.)

Coming from one of the common upstreams (X.Org), it would really be
helpful if there was a "Best Practices" page we could reference, since
we've gotten a couple complaints that we're not doing enough, but not
concrete enough suggestions that we can go modify our release script to
implement them.   (Currently we include MD5, SHA1, & SHA256 checksums in
the release announcement e-mails, which we tell maintainers to pgp sign
with their own keys when sending - though unfortunately most of the
mailing list archives break the ability to verify when they mangle
email addresses to prevent spam harvesting from their archives.)

If there was a common standard, with instructions, we'd be far more
likely to spend the time to adopt it, than just a "make signatures
appear somewhere, in an unspecified format".

-- 
	-Alan Coopersmith-             
alan.coopersmith-QHcLZuEGTsvQT0dZR+Al[email protected]
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc
 
CD: 4ms